Microsoft Says Google Chrome Frame Makes IE Less Secure

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

Textbook FUD

[Lemming Mark]

"Given the security issues with plugins in general and Google Chrome in particular"

O RLY?

I'm happy to believe that IE8 actually has a good security model. I'm happy to believe that Chrome is not without flaws. But, really, Google have gone through fairly considerable pain and implemented quite strict sandboxing techniques for Chrome, to contain any problems in the renderer. It's pretty solid. Maybe it's better than IE8, maybe not. But just hand waving and going "Oh yes, *especially* Chrome" as if it's common knowledge that it's insecure is simply FUD.

The point about increasing the attack surface area seems more valid, perhaps, though it really depends on how this plugin works. If there are really twice as many places available at once then yes, that is a worry. If you'd have to get through Chrome's security and then through IE8's security, that actually sounds quite good. Possibly the biggest security worry I see is in encouraging users to think that installing a large, scary plugin that basically replaces the guts of their browser is a normal occurrence that will make their internet experience better.

Re:Security issues with Google Chrome?

[ShadowRangerRIT]

Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.

Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.

Thanks Microsoft...

[MickyTheIdiot]

I heard about this but I wasn't going to install it yet. I don't use a lot of I.E. stuff, but what I do is Javascript intensive, so now that I know that your don't like it at Microsoft I have now installed it. Thanks for the heads up... since you don't like it there must be a reason to give it a look.

Re:Friends?

[Enderandrew]

I read a fantastic interview with one of the lead IE developers as they were prepping the launch of IE 7. He said his daughter came home from school one day and asked him if he was responsible for breaking the web.

In the interview, he seemed to imply the current IE team feels guilty and responsible for previous versions being so poor in standards compliance, and that the new developers were pushing to make IE more complaint in the future.

Technically, they have succeeded. IE 7 and 8 are more complaint. They still however are not very compliant on the whole.

So yes, they have families. And even their beloved daughters call them out for IE's problems.

Re:kettle/black

[Deathlizard]

Somebody PLEASE make AdBlock Plus for Chrome and IE please!

IE8 has it built in with Inprivate filtering. You can also import lists to filter URL's similar to AdBlockPlus. Although it's not as conveniently automatic or as seamless, it works pretty well.

There's a good amount of info in this thread at DSLReports.
http://www.dslreports.com/forum/r22124619-IE8-InPrivate-filter-from-adblock-plus-list [dslreports.com]

Citations appreciated.

[Anonymous Coward]

While I may disagree that it's a problem, with your citations we can talk about facts. Thanks.

The first security flaw was from September 2008, and involved social engineering. From the looks of it, the Chrome guys were so familiar with the Chrome interface that they probably didn't consider that anyone could be tricked into downloading an app. with that technique. The fact that Apple had already tested with a "more diverse" user set is unsurprising.

The second technique:

"If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running. "

I don't really blame them for missing this since they probably don't use IE. And I must say I would have been tempted to classify this as an IE bug.

If the examples you provided are typical for the Chrome security flaws I think it's time to deploy it to my friends and family.

Re:kettle/black

[poetmatt]

Of course it would. But people have been asking for that since *IE 6* and/or earlier, I kid you not. If they allowed extensions people could do things such as : patch vulnerabilities themselves, allow things such as noscript, enable standards compliance. We're not talking about in modified versions of IE, it should be in the standard IE8 for the average non-techie user.

you know, all the stuff that we've been asking for to be provided in Internet Explorer for years. I don't suspect that to ever happen, since they intend to stick with ActiveX.

Re:kettle/black

[the_B0fh]

gee, and it really helps your case when the Microsoft rep on the HTML5 was one of the key people delaying the standard, isn't it?

Re:Security issues with Google Chrome?

[pyrbrand]

Besides the obvious (you have all the surface area of Chrome and IE together in the browser), there are a lot of questions I have about whether and how it respects IE's security settings, privacy settings, site filtering settings, no-script settings, script debugger settings and on and on. People can joke about how early versions of IE had huge security issues, but all the mitigations and fine grained control over what a page can and cannot do, as well as group policies put in place for sys-admins at corporations trying to protect their intranets are important. Maybe Chrome Frame plays nice with these, maybe they don't. My guess is that it doesn't handle every one of them with grace. (Disclaimer, I work at MS, but am not on the IE team).

Re:kettle/black

[thejynxed]

There is an extension for IE that might fit what you are looking for:
http://adblockie.codeplex.com/ [codeplex.com]

It also has the benefit of being Open Sauce for you guys who like to tinker with code.

There will never be an AdBlock or AdBlock+ for IE from the original authors. Those extensions rely on XUL and Javascript to make Firefox do what they want. Extensions for IE have to be programmed in a language like C++ and compiled into binary blob, and can only use pre-defined hooks into the browser.

Re:Security issues with Google Chrome?

[Rockoon]

Dear jellomizer,

This is essentially the same thing as an ActiveX component, with the exception that it doesn't use the COM+OLE framework to "plug in." This exception isn't very meaningful. The fact is that in both cases you are downloading a binary which then gets conditionally executed based on commands given in an HTML document.

My beef with google here is that it looks like they are poised to lock in their own lack of standards compliance on us all (no rendering engine is 100% standards compliant, they all do some things slightly differently) Once this plugin gets installed on IE users machines, they have anchored us all to whatever rendering bugs that plugin has through market share. Will Mozilla or Opera dare to improve their rendering engines to be more-compliant if they then render differently to both webkit AND IE+webkit?

This is an end-run around free market competition. Instead of letting IE die on its lack of merit, they are screwing over Firefox and Opera, making them play follow-the-leader when that lead isnt based solely on merit.

I for one will be quite surprised if Opera is supported at all in the next wave (pun intended) of google apps, even though there is plenty of stuff Opera does right that none of the other browsers do (yes, theres stuff it does wrong too where webkit does it right)

Re:kettle/black

[Man On Pink Corner]

I'm about this close to ditching Firefox. Performance and stability issues are going unaddressed while they work on crap like Office-style ribbon UIs?

IE7 was a pile of crap but IE8 isn't that bad, frankly. If the Mozilla people don't get their shit together, and soon, their market share is likely to shift back towards IE just as surely as Netscape's did.

(And no, I wouldn't feel this strongly about it if I didn't really like Firefox and want to see it succeed.)

Re:kettle/black

[gig]

IE8 is terrible. It is 2x slower than every other browser and it has no HTML5 features. It's only good when compared to IE6 from 2001. Also, IE8 is over 25 megabytes and runs only on Wintel. For comparison, WebKit is 5 megabytes and runs on Windows, Mac, Linux and on x32, x64, PowerPC, and ARM.

There is just no excuse for the low quality of Internet Explorer. Microsoft has been at this longer than any other browser maker. Safari is from early 2003, Firefox from late 2004, Chrome from 2008, but IE is from 1995. That is a dramatic head start and yet IE8 is way, way behind the other browsers.