Slashdot Mirror


Microsoft Says Google Chrome Frame Makes IE Less Secure

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

14 of 459 comments (clear)

  1. I'm Taking Notes by Anonymous Coward · · Score: -1, Troll

    This is not a risk we would recommend our friends and families take.

    Yeah? And what kind of lube do you recommend for your customers when you bend them over?

  2. LESS secure? by gmuslera · · Score: -1, Troll

    If IE security is already zero, how this could be less secure? putting it into negative security numbers?

    First, the plugin goes from the last "in theory" secure IE8, to the "come to hack me, im open" IE6. Is definitely a security improvement for older IE versions. For IE8, is debatable or future could tell if is more or less secure than the built-in renderer, but so far, history hasn't been on IE side regarding security.

    Also is pretty specific. A very small percent of IE users will install the plugin (mostly wave beta testers mostly that refuse to give up IE?), probably most will have installed Chrome or Firefox. Doing a full site and trying to get there a lot of people to activate the plugin with a specific header tag (so it can't be as easily triggered as some maybe old IE renderer security bugs) and then putting the exploit is a bit doing it taking the long road, specially if you take into account how frequently are tried to exploit IE vulnerabilities and how much aggressive is google regarding security patches (not sure if the plugin use the same update channel than the browser, i.e.).

    Also is interesting that they complain about this plugin that could improve their security overall, and don't do it for other plugins that definately lower their security, but that must be used to access (pretty much like the chrome frame plugin) to some essential content, like i.e. flash or acrobat (and odds are pretty high that silverlight too).

  3. Re:Thanks by gabebear · · Score: 1, Troll

    It's a great argument against Silverlight from a consumer's point of view. You have to load extra software which won't effect 99.9% of the pages you might visit.You aren't really adding any security, since the old crap is still there.

    From a web developers point of view this could be HUGE. Most customers wouldn't have a problem installing a Google-based plugin, and after we get them to install the plugin WE NEVER NEED TO CODE FOR IE AGAIN!!!!! Really, IE8 isn't a terrible browser, but IE7 and IE6 are unforgivably bad. This takes care of all the IE6, IE7, and IE8 incompatible crap and lets you override their engines by adding one tag to your page.

  4. Re:Well yes by Computershack · · Score: 1, Troll

    I still don't understand how IE could be made less secure. Surely, IE offers more options than just Javascript to install malware.

    Because on Vista, IE8 runs sandboxed.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  5. Re:Well yes by Anonymous Coward · · Score: -1, Troll

    IE7 and IE8 on Vista and later (Server 2008 and Windows 7) have some really impressive security, in fact. Everything is pretty well sandboxed, and if something DOES break, it's usually pretty well contained.

    IE7 and IE8 combined have, oddly, exactly 100 vulnerabilities (88 for IE7, 12 for IE8).

    FireFox 3.0 alone has 114. FireFox 3.5 has 18. And, to be thorough, FireFox 2 has 154.

    So. Yeah. Glass Houses, throwing stones, yada yada yada.

  6. In other news... by TrixX · · Score: 0, Troll

    Microsoft has told skydivers that they don't recommend using parachutes, because a parachute adds to their weight.

    This (as the advice stated by microsoft) is based on strictly true facts (greater attack area) but it is also strictly useless advice...

  7. Re:I agree by ZarathustraDK · · Score: 0, Troll

    Or Chrome, or Safari, or even Firefox 2 on Windows

    Dude, you got the Ferrari, why use it on rainy dirt-roads when newly laid dry tarmac is available? - old chinese saying

    --
    If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
  8. Re:Well yes by stocke2 · · Score: 1, Troll

    not this stupid argument again
    you are comparing apples and oranges, known bugs in an open codebase, which gets patched relatively quickly.
    and known bugs in a closed codebase which gets patched not so quickly. I am sure if we could see the code we could find some more bugs, but alas... we shall never know.

    and since we can not know you can not really compare the numbers in a meaningful way.

    also, when they do those bug counts on linux they tend to add in bugs from other packages, so are the adding in bugs on popular plugins or anything as well? unfortunately those numbers are hard to trust, because the people who gather them have shown themselves to be untrustworthy in the past.

    that said IE8 is better than earlier versions, I still don't like it and not because its microsoft, but because the interface stinks and it has had some rendering issues with sites I use, I prefer safari on osx and ff when I have to use windows.

    If you like IE, more power to you, I would love to see windows users switch from ie6 to ie8, makes my life easier.

    --
    A Smith & Wesson beats four aces -- Murphy's Law of Poker
  9. Re:kettle/black by geekoid · · Score: -1, Troll

    It became popular becasue MS used their monopoly to be able to give away the browser to destroy netscape; which cost money at the time.

    No one out side of IT people who specifically understood browsers new one from another as far as standards and security. Only Cost.

    Oh and ie WAS an add on to 95, and included in later releases of 95.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  10. Re:Friends? by Bertie · · Score: 1, Troll

    Classic Microsoft tactic. Every single release of everything they ever do is prefaced with a couple of months of how the last release was shit and they're really sorry for letting everyone down, but hey, this time they're going to get it right, promise.

    The incredible thing is that, like a battered housewife, people keep taking them back.

  11. Re:I agree by powerlord · · Score: -1, Troll

    and not be able to run many commercial programs? I think that's some pretty crappy advice there. Businesses need quality business applications to function properly and the 'alternative' software in Linux isn't always of a high quality if it even exists. That's before we even start talking about hardware compatibility. Linux, Solaras and BSD are not suitable for many computing environments and users which is why companies still pay for Windows.

    Personally I run Safari and FireFox on BSD every day.

    OSX *IS* BSD derived (and officially Unix).

    Heck, Snow Leopard even adds Exchange Support to Apple's built in Mail app.

    Why should businesses use windows again? (the only time I ever need windows now is when connecting to a customer's VPN, in which case running a Windows VM is an even BETTER solution, since connecting to the VPN usually cuts off all other internet access, which is much easier to deal with when its a Guest OS that is cut off).

    --
    This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  12. Re:kettle/black by SkunkPussy · · Score: -1, Troll

    lol @ memory-holes in firefox

    doesn't happen any more

    --
    SURELY NOT!!!!!
  13. Re:kettle/black by Anonymous Coward · · Score: -1, Troll

    y do you all go on about other browers they are all rubbish firefox is crap you seriously know nothing about computers stick to you non existant IT day job, IE is the best

  14. Re:kettle/black by Kagetsuki · · Score: 0, Troll

    Flash is just generally terrible. Macromedia decided to make a development system for people who at most perhaps understood some Javascript, so their model is based on weird concepts like frames and putting scripts in objects (objects as in images). Writing a complex application in flash would be an exercise in futility, especially compared Java. As terrible as Java is, a skilled developer can write a significantly better, cleaner, and more technically capable (hardware acceleration etc) in it in less time and have a smaller package. Still, I don't think Java is the answer, but at least it's "better" than flash.