Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Google Chrome Frame Makes IE Less Secure

Posted by CmdrTaco on from the less-secure-than-what-exactly dept.

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

24 of 459 comments (clear)

  1. Security issues with Google Chrome? by commodore64_love · · Score: 4, Insightful

    Dear Microsoft:

    Citation please. Evidence. Facts. Or retract.

    'k thanks,

    Google

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:Security issues with Google Chrome? by selven · · Score: 5, Insightful

      Google has a horrible history with security?

    2. Re:Security issues with Google Chrome? by beelsebob · · Score: 4, Insightful

      Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.

      So yes, microsoft is right, but rather missing the point... If you're using a chrome frame, you're probably not using IE frames, which means that you're as secure as WebKit's security flaws.

      Why you'd do that rather than just using chrome I have no idea though.

    3. Re:Security issues with Google Chrome? by SanityInAnarchy · · Score: 4, Insightful

      Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).

      Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.

      It can be as simple as using https://mail.google.com/

      --
      Don't thank God, thank a doctor!
    4. Re:Security issues with Google Chrome? by Anonymous Coward · · Score: 3, Insightful

      Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).

      Your premise is wrong, hence your argument is wrong. All those goof-ups were not with the gmail you use, or the google docs you use. They were with contractual installations in colleges, etc. It's really like saying "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"

    5. Re:Security issues with Google Chrome? by vitaflo · · Score: 5, Insightful

      Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.

      It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.

  2. I agree by kimvette · · Score: 4, Insightful

    This is not a risk we would recommend our friends and families take.""

    . . . which is why one should run Firefox, konqueror, Mozilla, or Opera on Linux, Solaris, or BSD instead.

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  3. Re:kettle/black by ta+bu+shi+da+yu · · Score: 5, Insightful

    I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  4. Of course by PhasmatisApparatus · · Score: 5, Insightful

    Of course it doubles the attack rate of malicious scripts... It makes Javascript run twice as fast.

    In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.

  5. Thanks by Anonymous Coward · · Score: 5, Insightful

    You just made one of the most important arguments against Silverlight official.

  6. Double Standards by Anonymous Coward · · Score: 5, Insightful

    So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.

  7. Re:kettle/black by Anonymous Coward · · Score: 3, Insightful

    Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't...

    Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features, albeit they're still behind in standards. And "accelerators" are extremely useful.

    That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )

  8. Re:Textbook FUD by Just+Some+Guy · · Score: 4, Insightful

    I'm happy to believe that IE8 actually has a good security model.

    And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?

    --
    Dewey, what part of this looks like authorities should be involved?
  9. Re:kettle/black by Chabil+Ha' · · Score: 5, Insightful

    Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.

    Great, that happened *ten* years ago. What has happened since? They've been chasing the Fox for past *five* years.

    --
    We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
  10. Re:Well they would say that wouldn't they by MadKeithV · · Score: 5, Insightful

    "Microsoft pretends IE could possibly be made less secure by changing anything about it."

  11. Sounds to me that Microsoft... by dgun · · Score: 5, Insightful

    ..is scared.

    So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?

    --
    FAQs are evil.
  12. Re:Well yes by Captain+Hook · · Score: 4, Insightful

    I thought plug-ins/add-ons ran as part of the host browsers CPU process, and thus if IE is sandboxed wouldn't Chrome also be sandboxed?

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
  13. Friends and family by 93+Escort+Wagon · · Score: 3, Insightful

    Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!

    --
    #DeleteChrome
  14. Actually MS is right. by Deathlizard · · Score: 5, Insightful

    By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.

    --
    In Soviet Russia, Trojan exploits YOU!
  15. Re:kettle/black by noundi · · Score: 4, Insightful

    Microsoft Says Google Chrome Frame Makes IE Less Secure

    Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:

    Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.

    as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here, and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy.

    --
    I am the lawn!
  16. Re:kettle/black by poetmatt · · Score: 4, Insightful

    you're one of the rarest groups of all the fish in the pond, so to speak, per-se.

    Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.

  17. Re:kettle/black by mcgrew · · Score: 3, Insightful

    And where are these supposed vulnerabilities, anyway? If Microsoft wanted IE to be secure they'd abandon hActive-X and drop j-script in favor of javascript.

    I don't know why anyone but the ignorant would run IE. It (and all of Microsoft's offerings) have always been less secure than just about everyone else's.

    --
    Free Martian Whores!
  18. Re:kettle/black by TheRaven64 · · Score: 4, Insightful

    They make a valid point. IE has holes. Chrome has holes. IE with a Chrome plugin can be exploited by both vectors. There should be no debate over the fact that IE+Chrome is less secure than IE without Chrome. That is distracting from the real question, however, which is whether IE without Chrome is less secure than Chrome without IE.

    --
    I am TheRaven on Soylent News
  19. Mistaken market. by neo · · Score: 3, Insightful

    Google is not in the business of providing searches. Google is in the business of selling ads. It just happens that having the best search gives you more eyeballs on your ads. They leverage that advantage to gain share in other markets. It does sound like another company I've heard about.

    But you're on target here, this is obviously not comfortable for Microsoft. Five years ago they wouldn't have even bothered to issue a response. This is the kind of press release that is pure fear.

    Someone has made a plug-in for your browser that makes it 8X faster.

    • It shows incompetence of your developers that someone else had apparently patched your buggy/slow software.
    • Eventually people learn that it's actually another browser. Most people don't even know what a browser is.
    • Why use something in emulation when you can run the real thing? People will switch.

    It's something I said a long long long time ago. What can kill Microsoft? Something free.