MS Finds Security Flaw In Google Chrome Frame 214
Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections."
"Google has hurried out a patch," he adds.
Dude (Score:5, Funny)
MS Finds Security Flaw In Google Chrome Frame
Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.
Re: (Score:3, Insightful)
Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem [hackaday.com] with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.
Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?
Re:Dude (Score:4, Interesting)
> in much the same way that Google doesn't go looking for software bugs in Microsoft products.
You need to keep a closer eye on Microsoft bulletins, it actually happens regularly.
http://www.google.com/search?hl=en&q=site:microsoft.com+Google+intitle:"Microsoft+Security+Bulletin" [google.com]
Re: (Score:2, Funny)
To be fair, you don't really have to "look" to find bugs in MS products...
Re: (Score:2, Funny)
But then, this is /. so we love to rail on MS, Apple and even Linux anywhere we can.
There, ported it to the present ; )
Re: (Score:2, Insightful)
This violates the very definition of an Operating System, and what worse is that MS has done absolutely nothing to address these issues despite the vast resources at their disposal.
At least they patched it (Score:5, Interesting)
Re:At least they patched it (Score:5, Informative)
Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.
I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.
Re: (Score:2)
Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.
Delayed full disclosure (Score:4, Informative)
Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.
The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.
Re: (Score:2)
So delay the full disclosure...
Re: (Score:2)
...because nobody looking at a patch could possibly be tipped off as to what that patch does.</sarcasm>
Re: (Score:2)
They’d have to figure out what the original patched code did, not the patch. The patch would be a clue, sure, but mostly just telling you where to look.
Good point, though. I hadn’t really considered that.
Re: (Score:2)
The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.
Delaying the patch really doesn't help against independently discovered vulns. People might be already exploiting it.
It's called WSUS (Score:2)
Re: (Score:2)
The customer is not *always* right...
Re: (Score:3, Informative)
Re: (Score:2)
In linux they push patches all the time, but a company (like the one I work for) can still screen and test them before they roll out.
It works that way in the Windows world, as well. We have some kind of Windows Update server here that downloads all patches for all the flavors of Windows that we use. Then an administrator clicks approve for each patch and our local server pushes the updates to our Windows desktops and servers.
Re:At least they patched it (Score:5, Insightful)
Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!
Re:At least they patched it (Score:5, Insightful)
Re: (Score:3, Funny)
Binaries installed or modified outside the packaging system is a security flaw, not to mention impossible to maintain. Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.
Re:At least they patched it (Score:5, Funny)
Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.
Re: (Score:2)
Yes, but this means any security updates or modifications that is done on system level is overrided by outdated versions in the users home directory. You can not have both, you either have controlled and maintained security or you have ad-hoc security randomly applied by users downloading and runing binaries of the internet.
Re: (Score:2)
That extra semicolon between the "do" and "killall" (and lack of spaces between the test operator and condition - unless you have a binary named [$TRUE]) is a clever way to prevent X from starting as root, but it'd be easier to just not type startx at all. Putting syntax errors in the .xinitrc seems sketchy.
Re:At least they patched it (Score:4, Informative)
Re:At least they patched it (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I'm very appreciative of the patches. It's the endless flow of dialogs that I abhor. Why can't they update it all in the background? I just want to use my browser, NOW!
Re: (Score:2)
Re: (Score:2)
I have my Firefox configured to automatically download and install updates. That's what I want. It's all the dialogs that go with that process that annoy me. I would love for FF to update itself silently without bugging me.
I fully understand that software will never be 100% safe out of the box, I just don't want all the bloody nagging dialogs!
Re: (Score:2)
Remember: the exploit always comes before the fix.
That is not true. One easy way of finding security holes to exploit is to examine what gets fixed by patches. It shines a spotlight on the security hole and puts up a sign saying "hack me!".
There are numerous examples of worms appearing after the official patch. There was the Sasser worm [wikipedia.org]:
The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.
And the Blaster worm [wikipedia.org]
The worm spread by exploiting a buffer overflow dis
Re: (Score:2)
Re: (Score:2, Informative)
I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.
I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.
Re: (Score:2)
Me, I run Adblock alone and dont bother with noscript, its more trouble than its worth...
Re: (Score:2)
I don't use noscript
Re: (Score:2)
I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.
about:config, then search for "noscript.firstRunRedirection" and set it to false.
Re: (Score:2)
Re: (Score:3, Informative)
And not wait another week until it's patch-Tuesday.
How do you know exactly when the bug was first reported to Google? For all you know, they may have sat on the problem for a month.
It seems that they did batch the updates together, because this update to version 4.0.245.1 [blogspot.com] fixes 9 different issues.
Re: (Score:2)
The difference with an MS patch is more like we'd have known about it since 2007.
This is possible? (Score:3, Funny)
Awesome! (Score:3, Insightful)
So quick to point out mistakes in others software, but so slow to fix your own.
Re: (Score:2)
Blærg. Finding vulnerabalities is a good thing. Fixing them is even better.
Microsoft just did a good thing. Google did too. The world just became a slightly better place.
If we just fixed the rest of the softwarebugs, ended world hunger, fixed the environment and I got together with my ex (whom I still a miss even a year afterwards..I'm such a f***ing loser) the world be kinda ok.
Smile :)
Re: (Score:2)
That's the problem, IE and Windows has historically required numerous patches, it would be nice if MS would do better to get their software fixed first. Finding flaws in someone else's software is not something I want to see when they don't really have their own house in order yet.
Re: (Score:2)
Finding flaws in someone else's software is not something I want to see
I don't think you really believe that. Personally, I'd value the published discovery of a flaw not matter who the discoverer is.
Re: (Score:2)
So... you're saying that they should have sat on this until they'd fixed all outstanding issues in their own software?
Re: (Score:2)
It's the internet equivalent of calling Google a stinky poo face, because they drew a better dinosaur in Art class.
They were right (Score:4, Insightful)
Re: (Score:2)
The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.
Your common sense has no place on this board. Good day, sir.
DOuble whammy from Google (Score:4, Insightful)
Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.
For example, FTA: "All users should be updated automatically,"
Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.
Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.
Re: (Score:2)
Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction? And isn't that an option in synaptic? And can't you turn the "silent updates" option off in all three of those situations? And aren't these rhetorical questions?
Re: (Score:2)
Isn't that how MS wants you to configure windows update - so that a web page can trigger an update without your interaction?
No - there is a Windows service that runs and periodically phones home to check to see if there are any updates available. It has absolutely nothing whatsoever to do with a web page.
You are probably thinking of the Windows (or Microsoft) Update website, which can't do anything automatically (you have to go there, and choose what you want to have installed), and which in any case is not
This is just a temporary inconvenience (Score:2, Funny)
Breaking news! (Score:5, Funny)
... shipped a new version ... with a patch ... (Score:2)
Case closed.
Makes you wish IE flaws were so short-lived.
theres a proverb (Score:2, Insightful)
about removing the log from your own eye before removing the mote from your neighbours eye.
Re: (Score:2)
Not sure I've seen it phrased quite that way, but yes, there is. And it is completely inapplicable to this situation.
Re: (Score:2)
Jesus FTW.
No wonder (Score:2, Troll)
that MS cannot find bugs in their products if they spend all the time looking for vulnerabilities in competitors products.
I wonder how much time & money (Score:2)
I wonder how much time & money they invested in finding a google bug than their own software?
My guess is more than the entire budget allowed for IE6.
This story should have been titled... (Score:5, Insightful)
Re:This story should have been titled... (Score:4, Insightful)
Wow, congrats man... changing "MS finds security flaw in Google Chrome Frame" to "Microsoft security researcher confirms advantages of open source transparency" is a spin worthy of Fox News. You might have a future in public relations. :)
Really? (Score:2, Informative)
Perhaps MS should be more concerned about their own protocols.
"Most secure Os ever;
What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How funny."
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html
tally 1000+ plus in windows/IE; 2 in Chrome? (Score:2)
In the long runt his constant bitching will make both products stronger.
Re: (Score:2, Insightful)
Re:Expected (Score:5, Insightful)
Hardly, they helped another company secure its product. Everybody wins!
Re: (Score:3, Insightful)
Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate. You can bet that this whole situation is an embarrassment to Microsoft; it took another company to patch their software to work correctly, when they should have been able to do it themselves. Some egos were bruised in the process, and you can be damn well sure that there's a team willing to do everything they can to discredit Googles achievement.
So while I commend Microsoft on
Re:Expected (Score:4, Insightful)
Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate.
Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.
I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, but with warnings not to use the software in production. HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.
Re: (Score:3, Insightful)
I guess part of it is css support
Re: (Score:2)
Is this a comment about CSS3 support? The standard isn't even established yet [w3.org] so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers.
I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, b
Re: (Score:2)
Really? I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?
Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our brows
Re: (Score:3, Insightful)
I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?
Google is shoehorning their own browser into their competitor's browser. This is the equivalent of Burger King selling their hamburgers inside a McDonalds restaurant. It's a very drastic move that goes too far in my opinion.
Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our browsers wait for the final standards, that will slow the development process down. Now before you come flaming back at me, I'm not saying everything should be released bleeding edge, but there has to be some place in the middle that could be effective. You have to admit, IE hasn't had a stellar record of being a progressive, or even current browser.
You're right that standards should be backed, but they're not standards until they are finalized. A standard means something that will not be changed, but if it's not finalized it could change at any minute. I don't think "being progressive" should be a priority of any web browser -
Re:Expected (Score:5, Insightful)
Web designers have, for years, been depending on functionality that isn't even on any kind of standards track, much less maturely standardized. We call it Flash(and to a lesser extent other "rich content" plugins; but mostly Flash). Web designers have, frequently, depended on it for all kinds of things, it is often considered a must-have for web browsers, and is every bit as ghastly, if not considerably more so, in implementation.
By comparison, HTML5 is positively civilized. Chrome Frame is basically just an "HTML 5 Player" plugin, whose necessity will hopefully evaporate over time. It is, certainly, a kludge; but there are presently no alternatives to that. You can either give up broad swaths of web application features entirely, and deal with the oh-so-standard world of native application development; or base your webapp features on one or more plugins(flash, java, silverlight, etc.), or you can use HTML5 stuff.
Re: (Score:2)
IE is the only browser that supports... ASP.... By design.
How can this be modded Informative?
That's like saying IE is the only browser that supports SQL Server By design. Or IIS by design.
In other words, it makes no sense.
Clearly this person has no clue as to what ASP is.
Mod Parent Up, Grandparent Down (Score:3, Informative)
Absolutely true. As a web-developer, let me clue you (the grandparent) in... ASP is a server side programming language used to create HTML based web pages on the fly. It is exactly the same kind of technology as PHP... it's on the server and, and the client has no knowledge of it. All it gets is HTML, and it doesn't care whether it was static or created by PHP or ASP on the fly.
And just to add to the chorus, I have viewed many a webpage that was generated b
Re: (Score:3, Interesting)
You do realize that ActiveX is an industry standard, supported by the Open Group (you now, the same people that standardized X Windows).
http://www.opengroup.org/pubs/catalog/ax01.htm [opengroup.org]
Re: (Score:2)
Is this a comment about HTML5 support?
The 80 percent of Acid3 that Internet Explorer 8 fails can't be all HTML5. For example, where is SVG in IE8?
Re: (Score:2)
HTML 5 not a standard yet .... Like HTML 4 was not a standard until 2000, but supported in every browser well before this, including IE (with IE only extensions)
And IE *still* does not fully support ISO HTML (HTML 4.01) Nine years later .....
Re: (Score:2)
Neither does Mozilla/Firefox. In fact, they never will, because the Mozilla developers have chosen to not implement full support for col and colgroup [mozilla.org] by not supporting certain attributes on them, such as align.
Re: (Score:2)
No, it's a comment on how (historically) awful IE has been with respects to security. HTML5 is just icing on the cake. If MS wants to reverse this trend they're going to have to put some serious effort into it – one decent browser, if we're going to call IE8 that, isn't enough to overlook the trend.
Re: (Score:2)
What does Chrome Frame have to do with security?
Did you miss the whole story about how MS claimed that Chrome Frame doubled the potential for exploitation in IE?
If so, surely you can't possibly have missed the story about how MS has found a security exploit in Chrome Frame... erm, did you RTFheadline?
Re: (Score:2)
Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.
No, that's not right. Parent post is rife with disinformation.
The HTML5 standard will be in development for years and will be influenced by real world feedback. This is a change in strategy that is leading to a more robust standard. Quoting from the WHATWG FAQ [whatwg.org]
It is estimated, again by the editor, that HTML5 will reach a W3C recommendation in the year 2022 or later. This will be approximately 18-20 years of development, since beginning in mid-2004. That's actually not that crazy, though. Work on HTML4 s
Re: (Score:2)
If they can find a bug so quickly, what's their excuse for having their other products so buggy?
That's an easy question. All their security guys are looking for bugs in other companies' products.
Re: (Score:2)
Re:Expected (Score:4, Insightful)
And Google doesn't have to pay them a cent. :)
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
Heh. If so, it's a good reason to use Google Chrome Frame. A program that has an active bug-finding team is more trustworthy than one where bugs and security holes are hushed up.
However, I don't think Microsoft would set out to help their competitor in this way.
Re: (Score:2)
Re:Expected (Score:5, Informative)
Re: (Score:3, Funny)
Re: (Score:2)
Re:Expected (Score:5, Insightful)
Good thing too. If competitors spent more time actively looking for bugs in each others' software instead of paying their marketroids to spread FUD, everyone would be better off.
Re:Expected (Score:5, Insightful)
I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.
In that case, why didn't Microsoft loudly announce it to the world and shame Google?
Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.
And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.
Re: (Score:2)
Re: (Score:2)
What does this mean to us? (Score:2)
More likely, someone at a management meeting said "What does this mean to us?" and no one had an answer, so someone with that responsibility said "I'll form a team to go look at it." He got together with his highly paid coworkers over a 3 hour power lunch with martinis and found someone who wouldn't blink during the "I don't have funding or responsibility in this area" game, and assigned the investigation to them.
This person asked his team to conduct a technical review of the implementation, and in the pro
Re:Expected (Score:5, Insightful)
You had me right up until "just to discredit them".
Microsoft clearly was concerned that Frame would add to the possible attack vectors into IE. They've certainly said as much. And that is a valid concern, frankly. Due to that concern, they had their research team test for security vulnerabilities in Frame, obviously with particular focus on ones that could compromise a Windows system.
And, whaddya know, they found one.
Now, if they were trying to discredit Google, the first place they'd go is (MS)NBC and put out headlines "Google Chrome Frame Has a security breach! Look at those losers!"
Instead, we see an announcement from Google that they have a patch for the defect, and acknowledging Microsoft as having found the bug and reported it to them.
Sounds to me like Microsoft was acting out of enlightened self-interest, and is demonstrating good team-playing skills by telling Google about it in enough detail for Google to come out with a fast fix.
Kudos to Microsoft for extending their security research beyond their own software and to external sources they might consider a threat. Further kudos to Microsoft for reporting the issue to Google with enough detail to make a fix possible, without exposing it to the black hats so this never became a zero-day attack.
Kudos to Google for getting a fix out there quickly. Further kudos to Google for having the respect to acknowledge Microsoft's contribution.
I'd say this is a perfect example of vendors being good players in the security arena, and respectful competitors.
Shut up? (Score:5, Insightful)
Re:Shut up? (Score:5, Interesting)
Yeah. For once, this case was conducted in a civilized manner, much to my own surprise. Yes, I admit I am surprised, because I expected a slightly different modus operandi from a company like Microsoft, with a uber-competitive, testosterone-saturated corporate culture. This, for me, more than any other, is a proof that Microsoft is changing.
Re: (Score:2)
And this story once again proves that MS could improve its public image instantly with one simple statement. SILENCE. MS, really, hire a lawyer as your public relations advisor. A good lawyer who always tells his clients to "SHUT THE FUCK UP".
I had just about forgotten about all the bugs in MS software... and this made me remember the entire long list of highly exploitable bugs unpatched for months or even years. Great job.
Of course, if you read TFA, you'd see that it was Google who credited Microsoft with finding the issue. I saw nothing that indicates MS publicized or announced the issue in any way.
Re: (Score:2)
Not a good day for google...first a OS that can only run web apps...completely rejected by the community...& now this...
Didn't Apple say exactly the same thing about the iPhone when it first came out? Look where that platform is now. A active app development platform, and even a vibrant jailbreak community, for those who feel Apple is too restrictive.