Slashdot Mirror
Microsoft Says Google Chrome Frame Makes IE Less Secure
Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
"Given the security issues with plugins in general and Google Chrome in particular"
O RLY?
I'm happy to believe that IE8 actually has a good security model. I'm happy to believe that Chrome is not without flaws. But, really, Google have gone through fairly considerable pain and implemented quite strict sandboxing techniques for Chrome, to contain any problems in the renderer. It's pretty solid. Maybe it's better than IE8, maybe not. But just hand waving and going "Oh yes, *especially* Chrome" as if it's common knowledge that it's insecure is simply FUD.
The point about increasing the attack surface area seems more valid, perhaps, though it really depends on how this plugin works. If there are really twice as many places available at once then yes, that is a worry. If you'd have to get through Chrome's security and then through IE8's security, that actually sounds quite good. Possibly the biggest security worry I see is in encouraging users to think that installing a large, scary plugin that basically replaces the guts of their browser is a normal occurrence that will make their internet experience better.
Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.
Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
I heard about this but I wasn't going to install it yet. I don't use a lot of I.E. stuff, but what I do is Javascript intensive, so now that I know that your don't like it at Microsoft I have now installed it. Thanks for the heads up... since you don't like it there must be a reason to give it a look.
I read a fantastic interview with one of the lead IE developers as they were prepping the launch of IE 7. He said his daughter came home from school one day and asked him if he was responsible for breaking the web.
In the interview, he seemed to imply the current IE team feels guilty and responsible for previous versions being so poor in standards compliance, and that the new developers were pushing to make IE more complaint in the future.
Technically, they have succeeded. IE 7 and 8 are more complaint. They still however are not very compliant on the whole.
So yes, they have families. And even their beloved daughters call them out for IE's problems.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
gee, and it really helps your case when the Microsoft rep on the HTML5 was one of the key people delaying the standard, isn't it?