Microsoft Says Google Chrome Frame Makes IE Less Secure
Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"
This is not a risk we would recommend our friends and families take.
Yeah? And what kind of lube do you recommend for your customers when you bend them over?
If IE security is already zero, how this could be less secure? putting it into negative security numbers?
First, the plugin goes from the last "in theory" secure IE8, to the "come to hack me, im open" IE6. Is definitely a security improvement for older IE versions. For IE8, is debatable or future could tell if is more or less secure than the built-in renderer, but so far, history hasn't been on IE side regarding security.
Also is pretty specific. A very small percent of IE users will install the plugin (mostly wave beta testers mostly that refuse to give up IE?), probably most will have installed Chrome or Firefox. Doing a full site and trying to get there a lot of people to activate the plugin with a specific header tag (so it can't be as easily triggered as some maybe old IE renderer security bugs) and then putting the exploit is a bit doing it taking the long road, specially if you take into account how frequently are tried to exploit IE vulnerabilities and how much aggressive is google regarding security patches (not sure if the plugin use the same update channel than the browser, i.e.).
Also is interesting that they complain about this plugin that could improve their security overall, and don't do it for other plugins that definately lower their security, but that must be used to access (pretty much like the chrome frame plugin) to some essential content, like i.e. flash or acrobat (and odds are pretty high that silverlight too).
It's a great argument against Silverlight from a consumer's point of view. You have to load extra software which won't effect 99.9% of the pages you might visit.You aren't really adding any security, since the old crap is still there.
From a web developers point of view this could be HUGE. Most customers wouldn't have a problem installing a Google-based plugin, and after we get them to install the plugin WE NEVER NEED TO CODE FOR IE AGAIN!!!!! Really, IE8 isn't a terrible browser, but IE7 and IE6 are unforgivably bad. This takes care of all the IE6, IE7, and IE8 incompatible crap and lets you override their engines by adding one tag to your page.
I still don't understand how IE could be made less secure. Surely, IE offers more options than just Javascript to install malware.
Because on Vista, IE8 runs sandboxed.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
IE7 and IE8 on Vista and later (Server 2008 and Windows 7) have some really impressive security, in fact. Everything is pretty well sandboxed, and if something DOES break, it's usually pretty well contained.
IE7 and IE8 combined have, oddly, exactly 100 vulnerabilities (88 for IE7, 12 for IE8).
FireFox 3.0 alone has 114. FireFox 3.5 has 18. And, to be thorough, FireFox 2 has 154.
So. Yeah. Glass Houses, throwing stones, yada yada yada.
Microsoft has told skydivers that they don't recommend using parachutes, because a parachute adds to their weight.
This (as the advice stated by microsoft) is based on strictly true facts (greater attack area) but it is also strictly useless advice...
Or Chrome, or Safari, or even Firefox 2 on Windows
Dude, you got the Ferrari, why use it on rainy dirt-roads when newly laid dry tarmac is available? - old chinese saying
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
not this stupid argument again
you are comparing apples and oranges, known bugs in an open codebase, which gets patched relatively quickly.
and known bugs in a closed codebase which gets patched not so quickly. I am sure if we could see the code we could find some more bugs, but alas... we shall never know.
and since we can not know you can not really compare the numbers in a meaningful way.
also, when they do those bug counts on linux they tend to add in bugs from other packages, so are the adding in bugs on popular plugins or anything as well? unfortunately those numbers are hard to trust, because the people who gather them have shown themselves to be untrustworthy in the past.
that said IE8 is better than earlier versions, I still don't like it and not because its microsoft, but because the interface stinks and it has had some rendering issues with sites I use, I prefer safari on osx and ff when I have to use windows.
If you like IE, more power to you, I would love to see windows users switch from ie6 to ie8, makes my life easier.
A Smith & Wesson beats four aces -- Murphy's Law of Poker
It became popular becasue MS used their monopoly to be able to give away the browser to destroy netscape; which cost money at the time.
No one out side of IT people who specifically understood browsers new one from another as far as standards and security. Only Cost.
Oh and ie WAS an add on to 95, and included in later releases of 95.
The Kruger Dunning explains most post on
Classic Microsoft tactic. Every single release of everything they ever do is prefaced with a couple of months of how the last release was shit and they're really sorry for letting everyone down, but hey, this time they're going to get it right, promise.
The incredible thing is that, like a battered housewife, people keep taking them back.
Personally I run Safari and FireFox on BSD every day.
OSX *IS* BSD derived (and officially Unix).
Heck, Snow Leopard even adds Exchange Support to Apple's built in Mail app.
Why should businesses use windows again? (the only time I ever need windows now is when connecting to a customer's VPN, in which case running a Windows VM is an even BETTER solution, since connecting to the VPN usually cuts off all other internet access, which is much easier to deal with when its a Guest OS that is cut off).
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
lol @ memory-holes in firefox
doesn't happen any more
SURELY NOT!!!!!
y do you all go on about other browers they are all rubbish firefox is crap you seriously know nothing about computers stick to you non existant IT day job, IE is the best
Flash is just generally terrible. Macromedia decided to make a development system for people who at most perhaps understood some Javascript, so their model is based on weird concepts like frames and putting scripts in objects (objects as in images). Writing a complex application in flash would be an exercise in futility, especially compared Java. As terrible as Java is, a skilled developer can write a significantly better, cleaner, and more technically capable (hardware acceleration etc) in it in less time and have a smaller package. Still, I don't think Java is the answer, but at least it's "better" than flash.