Slashdot Mirror
Microsoft Says Google Chrome Frame Makes IE Less Secure
Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
Dear Microsoft:
Citation please. Evidence. Facts. Or retract.
'k thanks,
Google
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
. . . which is why one should run Firefox, konqueror, Mozilla, or Opera on Linux, Solaris, or BSD instead.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?
XML is like violence. If it doesn't solve the problem, use more.
Of course it doubles the attack rate of malicious scripts... It makes Javascript run twice as fast.
In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.
You just made one of the most important arguments against Silverlight official.
So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.
You're not just adding the security of Chrome and IE, you're adding their insecurity as well.
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't...
Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features, albeit they're still behind in standards. And "accelerators" are extremely useful.
That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )
... we should ban flash, acrobat reader, quicktime, and dozens of other plugins that all have regularly reported vulnerabilities.
".... has doubled the attack area for malware and malicious scripts."
Can't the same thing be said about the Flash Player Plugin?
Because people still using IE6 are really worried about their browser security...
I'm happy to believe that IE8 actually has a good security model.
And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?
Dewey, what part of this looks like authorities should be involved?
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
Great, that happened *ten* years ago. What has happened since? They've been chasing the Fox for past *five* years.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Dimitri martin's standup doesn't transfer well to text ;)
"Microsoft pretends IE could possibly be made less secure by changing anything about it."
..is scared.
So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?
FAQs are evil.
"Microsoft releases new critical IE patch that accidentally disables the Chrome Frame"
I thought plug-ins/add-ons ran as part of the host browsers CPU process, and thus if IE is sandboxed wouldn't Chrome also be sandboxed?
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
applying the same crazy MS thoughts, then Silverlight make IE less secure
Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!
#DeleteChrome
By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.
In Soviet Russia, Trojan exploits YOU!
Microsoft Says Google Chrome Frame Makes IE Less Secure
Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:
Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.
as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here, and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy.
I am the lawn!
Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't....
Yes I do, it was crap even then, compare its CSS support to Mozilla 5 (Netscape 6):
http://www.richinstyle.com/bugs/table.html
IE has always been a pain, it was just less bad than Netscape 4 for a while.
you're one of the rarest groups of all the fish in the pond, so to speak, per-se.
Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.
Which browser is more capable in some abstract sence matters little, what is important is what browser does what I want it to do ( for lazy site developers that means let me use the most features while having everyone able to view the site, for users it means which browser works with most of the web, and is integrated into my desktop OS as well making it fast to load ) And since people's machines were smaller back then most people just didn't have the ram to waste on having two browsers preloaded into ram all the time so they would both load fast IE did much of the work of the windows gui which actually makes sense. ) For that advantage, the browsing capabilities of IE could be quite inferior before using another browser on windows was justifiable. Many of us (like me) did it anyway, but most didn't have a stake in the browser wars, or understand that the only reason IE worked at all was that there was an alternative. A monopoly will always produce a steaming pile of crap because monopolies are allowed to. Monopolies always underproduce and overcharge. Competition means quality is necessary, and that it won't cost too much. Of course Microsoft is capable of producing good stuff, but not if it doesn't have to.
Spending what could be shareholder profits on quality requires justification by the threat of losing customers.
And where are these supposed vulnerabilities, anyway? If Microsoft wanted IE to be secure they'd abandon hActive-X and drop j-script in favor of javascript.
I don't know why anyone but the ignorant would run IE. It (and all of Microsoft's offerings) have always been less secure than just about everyone else's.
Free Martian Whores!
Also a matter of opinion. IE5 had some nifty features, but was pretty far along in the second phase of Microsoft's standard "Embrace, Extend, Extinguish" strategy: it broke with established web standards in a major way. Because it was delivered with Windows, companies used it. They therefore built Intranet sites that didn't work with Netscape. The next step was extinguish, which worked pretty well until Firefox came along. So, yes, IE5 was nifty. And anyone who cared about the future of the Internet at the time rightly detested it.
Enjoy life! This is not a dress rehearsal.
You can't add security, you can only add insecurity. A system is as secure as the weakest point of entry.
That having been said, all plug-ins reduce security, including Flash and Silverlight, this is no different.
They make a valid point. IE has holes. Chrome has holes. IE with a Chrome plugin can be exploited by both vectors. There should be no debate over the fact that IE+Chrome is less secure than IE without Chrome. That is distracting from the real question, however, which is whether IE without Chrome is less secure than Chrome without IE.
I am TheRaven on Soylent News
Google is not in the business of providing searches. Google is in the business of selling ads. It just happens that having the best search gives you more eyeballs on your ads. They leverage that advantage to gain share in other markets. It does sound like another company I've heard about.
But you're on target here, this is obviously not comfortable for Microsoft. Five years ago they wouldn't have even bothered to issue a response. This is the kind of press release that is pure fear.
Someone has made a plug-in for your browser that makes it 8X faster.
It's something I said a long long long time ago. What can kill Microsoft? Something free.
lol @ your ignorance. Yes, they do. Check the bug reports.
Dunno about you, but if I thought I was unhappy, I'd be pretty certain it was true.
Server-side language choice isn't at all a browser issue. Also, Mr. AC, other than microsoft's own PR, can you cite any security problems here? Sure, they're introducing a new rendering engine that will undoubtedly have its own security problems, but they don't combine with IE's rendering engine's problem since only one of them is being used at a time.
Actually... no.
1 - IE's renderer has holes.
2 - Chrome's renderer has (I believe) fewer holes (because it is not as tied to the OS).
3 - Only 1 renderer will be used to render a malicious page.
If 2 and 3 are true, then it follows that when Chrome's renderer is used, the browser is actually more secure.
Of course this is highly dependent upon the level of communication between the browser and the renderer. I suspect that it is very minimal ( button clicks, bookmarks, etc.) as tight integration would be unnecessary, costly, and more difficult to maintain.
I think I will take the stance that using the chrome renderer on the IE browser will make a more secure online experience... and I will tell people such until someone can convince me that I am wrong. Microsoft's argument is like saying that Windows and McAfee AntiVirus make a system less secure than Windows by itself because McAffee increases the attack area, which it technically does.
Sometimes the best solution is to stop wasting time looking for an easy solution.