Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Google Chrome Frame Makes IE Less Secure

Posted by CmdrTaco on from the less-secure-than-what-exactly dept.

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

5 of 459 comments (clear)

  1. Well they would say that wouldn't they by Chrisq · · Score: 5, Informative

    What do you expect; "This is great now our customers can access standards-compliant sites and have a faster, smoother web experience"?

  2. Re:Security issues with Google Chrome? by Anonymous Coward · · Score: 5, Informative

    Citation please.

    http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php

    http://news.cnet.com/8301-1009_3-10226578-83.html

  3. Re:Double Standards by gabebear · · Score: 5, Informative

    They not only add the .Net plugin to Firefox without asking you, they change the useragent string for Firefox... oh and the .Net plugin doesn't have a built-in uninstaller like every other plugin.

    I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html

  4. Re:kettle/black by Kagetsuki · · Score: 5, Informative

    IE 5 was great, but MS making IE5 great and taking the market lead seems to have given them the idea that they could implement their own features all on their own and make everyone conform to their standards, which they are still doing now. The thing is the way Internet explorer implemented a lot of features gave a lot of things that just couldn't be easily done or done at all until HTML5 was actually adopted. The problem there is that HTML 5 took forever. Evolution of the web by its own standards committee has been gruelingly slow and the massive amount of garbage that has come out in-between and the amount of junk included in HTML 5 itself is astounding. Even if you could say some new features submitted are great there is just so much overlapping of features it's hard to tell what is the best way to do anything now. Do you write a site with canvas and hope people using IE will install chrome frame? Do you write two versions of the same site, one using "standard" HTML 5/XML Namespaces/SVG/Canvas and one using whatever Microsoft developed 5 years ago to achieve the same thing but in the Microsoft way? Speaking of SVG, the Adobe SVG plugin for IE can't read modern SVG files and the google SVG to flash translator breaks if you use any other new web technology with it (xlink for example). And don't even get me started on how terrible Flash is, it's just depressing. Java web launch? Has anybody even heard of it? How many general PC users even have the Java plug-in properly installed (I'm betting 3 year old can count that high)? The internet sucks and it sucks in two different directions: the "anything goes and we'll do whatever we want Microsoft direction" and the "we'll do everything you want but we'll fight about how to do it for 5 years, then never actually call the standard finalized so we can just arbitrarily change it and if any browser developers complain we'll just tell them they shouldn't have implemented it if it wasn't finalized" W3C/Gecko/Webkit/Opera direction.

    Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....

  5. Re:Actually MS is right. by RareButSeriousSideEf · · Score: 4, Informative

    +1.

    I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.

    Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/.

    --
    Pi Ran Out