Forgot your password?
typodupeerror
Internet Explorer Google Microsoft Security

MS Finds Security Flaw In Google Chrome Frame 214

Posted by timothy
from the they're-the-experts dept.
Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.
This discussion has been archived. No new comments can be posted.

MS Finds Security Flaw In Google Chrome Frame

Comments Filter:
  • Dude (Score:5, Funny)

    by Anonymous Coward on Friday November 20, 2009 @06:43AM (#30169532)

    MS Finds Security Flaw In Google Chrome Frame

    Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.

  • by santax (1541065) on Friday November 20, 2009 @06:45AM (#30169540)
    And not wait another week until it's patch-Tuesday.
    • by Tim C (15259) on Friday November 20, 2009 @06:48AM (#30169560)

      Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

      I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

      • by QuoteMstr (55051)

        Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

        • by tepples (727027) <{tepples} {at} {gmail.com}> on Friday November 20, 2009 @09:16AM (#30170128) Homepage Journal

          Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

          The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.

          • So delay the full disclosure...

            • by mea37 (1201159)

              ...because nobody looking at a patch could possibly be tipped off as to what that patch does.</sarcasm>

              • They’d have to figure out what the original patched code did, not the patch. The patch would be a clue, sure, but mostly just telling you where to look.

                Good point, though. I hadn’t really considered that.

          • The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.

            Delaying the patch really doesn't help against independently discovered vulns. People might be already exploiting it.

      • You can tell WSUS to queue up and wait for approval before rolling any patches out -- the rest of us can get our patches when they're ready.
      • by naasking (94116)

        I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

        The customer is not *always* right...

    • by heffrey (229704) on Friday November 20, 2009 @07:18AM (#30169698)

      Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!

      • by santax (1541065) on Friday November 20, 2009 @07:23AM (#30169714)
        That is a small price to pay for an updated browser that is secure against attacks that already are in the wild. Remember: the exploit always comes before the fix.
        • Re: (Score:3, Funny)

          by Carewolf (581105)

          Binaries installed or modified outside the packaging system is a security flaw, not to mention impossible to maintain. Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

          • by tokul (682258) on Friday November 20, 2009 @08:23AM (#30169900)

            Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

            Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.

            • by Carewolf (581105)

              Not on your Linux installation, but in your own home directory.

              Yes, but this means any security updates or modifications that is done on system level is overrided by outdated versions in the users home directory. You can not have both, you either have controlled and maintained security or you have ad-hoc security randomly applied by users downloading and runing binaries of the internet.

        • by Nerdfest (867930) on Friday November 20, 2009 @07:53AM (#30169806)
          The exploit usually comes before the fix, but not always. Firefox frequently deploys fixes for security hole they've found themselves where not even a 'proof of concept' exists. Many other applications are the same.
          • by santax (1541065) on Friday November 20, 2009 @08:47AM (#30170000)
            I know where you going here. But smart criminals don't publish proof of concepts. They just exploit and hope no-one will find the same exploit so it won't be fixed. Therefor I still stand behind my golden rule of security: the exploit comes before the patch. Although I suppose I can alter it a bit. The hole is there before the fix.
        • by Rockoon (1252108)
          Yes this "small price to pay" works very well in an environment where everything must be *certified* before being deployed... oh wait... no, it doesn't. Its all fun and games until half of your employees can't perform their work because some dipshit deployed before testing.
        • by heffrey (229704)

          I'm very appreciative of the patches. It's the endless flow of dialogs that I abhor. Why can't they update it all in the background? I just want to use my browser, NOW!

          • by santax (1541065)
            Then maybe you should have a look at this: http://support.mozilla.com/en-US/kb/Updating+Firefox [mozilla.com] Although you probably also check the fuel and oil-level of your car and tire-pressure, just so you know you can have a safe ride. It's just standard maintenance and it is (unfortunately) needed. Hopefully there will come a time when all software is 100% safe out of the box. For now that is an utopia.
            • by heffrey (229704)

              I have my Firefox configured to automatically download and install updates. That's what I want. It's all the dialogs that go with that process that annoy me. I would love for FF to update itself silently without bugging me.

              I fully understand that software will never be 100% safe out of the box, I just don't want all the bloody nagging dialogs!

        • Remember: the exploit always comes before the fix.

          That is not true. One easy way of finding security holes to exploit is to examine what gets fixed by patches. It shines a spotlight on the security hole and puts up a sign saying "hack me!".

          There are numerous examples of worms appearing after the official patch. There was the Sasser worm [wikipedia.org]:

          The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.

          And the Blaster worm [wikipedia.org]

          The worm spread by exploiting a buffer overflow dis

          • by santax (1541065)
            You do realize that the ones patching those holes first had to confirm they existed? Sure, I agree with you when you say, some people write an exploit based on a patch. But that doesn't invalidate my comment.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.

        I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.

        • by jonwil (467024)

          Me, I run Adblock alone and dont bother with noscript, its more trouble than its worth...

        • by heffrey (229704)

          I don't use noscript

        • I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.
          I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.


          about:config, then search for "noscript.firstRunRedirection" and set it to false.
      • by klui (457783)
        This means you need to run as administrator. My installs for my parents call for them being just Users and their installations don't get patched until I visit. Not an issue as I live relatively close by.
    • Re: (Score:3, Informative)

      by Gadget_Guy (627405)

      And not wait another week until it's patch-Tuesday.

      How do you know exactly when the bug was first reported to Google? For all you know, they may have sat on the problem for a month.

      It seems that they did batch the updates together, because this update to version 4.0.245.1 [blogspot.com] fixes 9 different issues.

  • by TheDarkMaster (1292526) on Friday November 20, 2009 @06:53AM (#30169588)
    Internet Explorer less secure? This is really possible?
  • Awesome! (Score:3, Insightful)

    by L4t3r4lu5 (1216702) on Friday November 20, 2009 @07:07AM (#30169658)
    Now, can you please fix the sanitiser in the IE8 output encoding? [theregister.co.uk]

    So quick to point out mistakes in others software, but so slow to fix your own.
    • by hyfe (641811)

      Blærg. Finding vulnerabalities is a good thing. Fixing them is even better.

      Microsoft just did a good thing. Google did too. The world just became a slightly better place.

      If we just fixed the rest of the softwarebugs, ended world hunger, fixed the environment and I got together with my ex (whom I still a miss even a year afterwards..I'm such a f***ing loser) the world be kinda ok.

      Smile :)

    • That's the problem, IE and Windows has historically required numerous patches, it would be nice if MS would do better to get their software fixed first. Finding flaws in someone else's software is not something I want to see when they don't really have their own house in order yet.

      • Finding flaws in someone else's software is not something I want to see

        I don't think you really believe that. Personally, I'd value the published discovery of a flaw not matter who the discoverer is.

    • by Tim C (15259)

      So... you're saying that they should have sat on this until they'd fixed all outstanding issues in their own software?

      • I'm saying they should have been concentrating on their own software in the first place, not being spiteful children and "getting them back" for showing up their rendering engine.

        It's the internet equivalent of calling Google a stinky poo face, because they drew a better dinosaur in Art class.
  • They were right (Score:4, Insightful)

    by TheRaven64 (641858) on Friday November 20, 2009 @07:55AM (#30169822) Journal
    The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.
    • The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.

      Your common sense has no place on this board. Good day, sir.

  • by argent (18001) <peter@slashdot.2 ... com minus physic> on Friday November 20, 2009 @08:24AM (#30169906) Homepage Journal

    Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.

    For example, FTA: "All users should be updated automatically,"

    Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.

    Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.

    • Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction? And isn't that an option in synaptic? And can't you turn the "silent updates" option off in all three of those situations? And aren't these rhetorical questions?

      • by Tim C (15259)

        Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction?

        No - there is a Windows service that runs and periodically phones home to check to see if there are any updates available. It has absolutely nothing whatsoever to do with a web page.

        You are probably thinking of the Windows (or Microsoft) Update website, which can't do anything automatically (you have to go there, and choose what you want to have installed), and which in any case is not

  • Once we end all of this open standards silliness, and get you to do your internet business with safe, secure ActiveX and .Net, security woes will be a thing of the past!
  • by davidbrit2 (775091) on Friday November 20, 2009 @08:29AM (#30169926) Homepage
    We have early word that the security vulnerability goes by the name "Internet Explorer". Details are thin at this time, but we'll have more as the story develops. Janet, back to you in the studio.
  • The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

    Case closed.

    Makes you wish IE flaws were so short-lived.
  • theres a proverb (Score:2, Insightful)

    by rossdee (243626)

    about removing the log from your own eye before removing the mote from your neighbours eye.

  • No wonder (Score:2, Troll)

    by Exitar (809068)

    that MS cannot find bugs in their products if they spend all the time looking for vulnerabilities in competitors products.

  • I wonder how much time & money they invested in finding a google bug than their own software?
    My guess is more than the entire budget allowed for IE6.

  • by Dammital (220641) on Friday November 20, 2009 @10:30AM (#30170766)
    ... Microsoft security researcher confirms advantages of open source transparency
  • Really? (Score:2, Informative)

    by celt63 (267626)

    Perhaps MS should be more concerned about their own protocols.

    "Most secure Os ever;
    What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
    How funny."

    http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

  • I'm sure more in Chrome will appear in upcoming months. But MS is hardly blameless in criticising another another company's security.

    In the long runt his constant bitching will make both products stronger.

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...