Microsoft Says Google Chrome Frame Makes IE Less Secure

← Back to Stories (view on slashdot.org)

Microsoft Says Google Chrome Frame Makes IE Less Secure

Posted by CmdrTaco on Thursday September 24, 2009 @12:59AM from the less-secure-than-what-exactly dept.

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

99 of 459 comments (clear)

kettle/black by Anonymous Coward · 2009-09-24 01:00 · Score: 5, Funny

stones/glasshouses
1. Re:kettle/black by ta+bu+shi+da+yu · 2009-09-24 01:03 · Score: 5, Insightful
  
  I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
2. Re:kettle/black by Anonymous Coward · 2009-09-24 01:15 · Score: 3, Insightful
  
  Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't...
  
  Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features, albeit they're still behind in standards. And "accelerators" are extremely useful.
  
  That said, I still use Firefox (Somebody PLEASE make AdBlock Plus for Chrome and IE please! )
3. Re:kettle/black by Vindicator9000 · 2009-09-24 01:27 · Score: 5, Funny
  
  But really, no one should throw stones, right? As a kid, I was always taught that it's not nice to throw stones at people. Unless of course, you were trapped in a glass house and needed to get out. If you have a pile of stones next to you, go ahead and throw them. Then you won't be trapped anymore! So really, people in glass houses are the only ones who should throw stones. Right?
4. Re:kettle/black by Chabil+Ha' · 2009-09-24 01:30 · Score: 5, Insightful
  
  Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
  Great, that happened *ten* years ago. What has happened since? They've been chasing the Fox for past *five* years.
  
  --
  We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
5. Re:kettle/black by Anonymous Coward · 2009-09-24 01:30 · Score: 2, Insightful
  
  Dimitri martin's standup doesn't transfer well to text ;)
6. Re:kettle/black by Anonymous Coward · 2009-09-24 01:48 · Score: 2, Informative
  
  Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.
  Great, that happened *ten* years ago. What has happened since? They've been chasing the Fox for past *five* years.
  Great, except I was responding to somebody who claimed that Microsoft hadn't made a DECENT browser in THIRTEEN years. 6 was fine when it came out, if nothing special, but 5, 7, and 8 have all had some pretty good features. Features that would make me drop AdBlock Plus? Hell no! But saying they can't make a 'decent' browser is just flamebait.
7. Re:kettle/black by gyrogeerloose · 2009-09-24 01:55 · Score: 3, Funny
  
  people in glass houses are the only ones who should throw stones. Right?
  Wrong. People in glass houses shouldn't undress.
  
  --
  This ain't rocket surgery.
8. Re:kettle/black by Anonymous Coward · 2009-09-24 01:57 · Score: 3, Informative
  
  Also, IE7 and 8 (on Vista and Windows 7) has a bunch of really impressive security features...
  And even more impressive bloat, *especially* with regards to screen real estate, even with all the bars disabled. It's as if IE is parodying itself. Ever try using IE8 on a netbook? It doesn't work, you have to enter kiosk mode for it to be remotely useful. There's no thought to form or function, they just barfed menus all over the place and called it "progress".
9. Re:kettle/black by Kagetsuki · 2009-09-24 02:02 · Score: 5, Informative
  
  IE 5 was great, but MS making IE5 great and taking the market lead seems to have given them the idea that they could implement their own features all on their own and make everyone conform to their standards, which they are still doing now. The thing is the way Internet explorer implemented a lot of features gave a lot of things that just couldn't be easily done or done at all until HTML5 was actually adopted. The problem there is that HTML 5 took forever. Evolution of the web by its own standards committee has been gruelingly slow and the massive amount of garbage that has come out in-between and the amount of junk included in HTML 5 itself is astounding. Even if you could say some new features submitted are great there is just so much overlapping of features it's hard to tell what is the best way to do anything now. Do you write a site with canvas and hope people using IE will install chrome frame? Do you write two versions of the same site, one using "standard" HTML 5/XML Namespaces/SVG/Canvas and one using whatever Microsoft developed 5 years ago to achieve the same thing but in the Microsoft way? Speaking of SVG, the Adobe SVG plugin for IE can't read modern SVG files and the google SVG to flash translator breaks if you use any other new web technology with it (xlink for example). And don't even get me started on how terrible Flash is, it's just depressing. Java web launch? Has anybody even heard of it? How many general PC users even have the Java plug-in properly installed (I'm betting 3 year old can count that high)? The internet sucks and it sucks in two different directions: the "anything goes and we'll do whatever we want Microsoft direction" and the "we'll do everything you want but we'll fight about how to do it for 5 years, then never actually call the standard finalized so we can just arbitrarily change it and if any browser developers complain we'll just tell them they shouldn't have implemented it if it wasn't finalized" W3C/Gecko/Webkit/Opera direction.
  
  Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....
10. Re:kettle/black by Hatta · 2009-09-24 02:05 · Score: 4, Funny
  
  Making IE less secure is like making water more wet.
  
  --
  Give me Classic Slashdot or give me death!
11. Re:kettle/black by plague3106 · 2009-09-24 02:10 · Score: 2, Informative
  
  Even if that person is Bree Olson?
12. Re:kettle/black by noundi · 2009-09-24 02:13 · Score: 4, Insightful
  
  Microsoft Says Google Chrome Frame Makes IE Less Secure
  Of course they do! Disregard the fact that they provide no evidence at all, and that they use this:
  
  Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts.
  as an argument to prove their point (???), but really, this is Googles way of taking over the MS userbase as explained here, and MS knows it. If Google wave becomes a hit, people will remember this move as the first important joust won by Google. IE with its crippled javascript hopes to prevent the popularity of Google wave by using scorched earth policy.
  
  --
  I am the lawn!
13. Re:kettle/black by Anonymous Coward · 2009-09-24 02:16 · Score: 2, Insightful
  
  Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape. There's a reason EVERYBODY dumped Netscape, and it wasn't just "it came with Windows", because at first, it didn't....
  Yes I do, it was crap even then, compare its CSS support to Mozilla 5 (Netscape 6):
  http://www.richinstyle.com/bugs/table.html
  IE has always been a pain, it was just less bad than Netscape 4 for a while.
14. Re:kettle/black by poetmatt · 2009-09-24 02:23 · Score: 4, Insightful
  
  you're one of the rarest groups of all the fish in the pond, so to speak, per-se.
  Most of us like companies that patch vulnerabilities much faster/make browsers that are standards compliant, both from a legal perspective (meaning our employers are happier -not for me personally), and also from a safety/update perspective.
15. Re:kettle/black by Deathlizard · 2009-09-24 02:28 · Score: 2, Interesting
  
  Somebody PLEASE make AdBlock Plus for Chrome and IE please!
  IE8 has it built in with Inprivate filtering. You can also import lists to filter URL's similar to AdBlockPlus. Although it's not as conveniently automatic or as seamless, it works pretty well.
  There's a good amount of info in this thread at DSLReports.
  http://www.dslreports.com/forum/r22124619-IE8-InPrivate-filter-from-adblock-plus-list
  
  --
  In Soviet Russia, Trojan exploits YOU!
16. Re:kettle/black by mcgrew · 2009-09-24 02:48 · Score: 3, Insightful
  
  And where are these supposed vulnerabilities, anyway? If Microsoft wanted IE to be secure they'd abandon hActive-X and drop j-script in favor of javascript.
  I don't know why anyone but the ignorant would run IE. It (and all of Microsoft's offerings) have always been less secure than just about everyone else's.
  
  --
  Free Martian Whores!
17. Re:kettle/black by bradley13 · 2009-09-24 02:48 · Score: 2, Insightful
  
  Also a matter of opinion. IE5 had some nifty features, but was pretty far along in the second phase of Microsoft's standard "Embrace, Extend, Extinguish" strategy: it broke with established web standards in a major way. Because it was delivered with Windows, companies used it. They therefore built Intranet sites that didn't work with Netscape. The next step was extinguish, which worked pretty well until Firefox came along. So, yes, IE5 was nifty. And anyone who cared about the future of the Internet at the time rightly detested it.
  
  --
  Enjoy life! This is not a dress rehearsal.
18. Re:kettle/black by Spazztastic · 2009-09-24 02:50 · Score: 4, Funny
  
  Even if that person is Bree Olson?
  Gah, knew I shouldn't have googled her at work.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
19. Re:kettle/black by TheRaven64 · 2009-09-24 02:52 · Score: 4, Insightful
  
  They make a valid point. IE has holes. Chrome has holes. IE with a Chrome plugin can be exploited by both vectors. There should be no debate over the fact that IE+Chrome is less secure than IE without Chrome. That is distracting from the real question, however, which is whether IE without Chrome is less secure than Chrome without IE.
  
  --
  I am TheRaven on Soylent News
20. Re:kettle/black by poetmatt · 2009-09-24 03:35 · Score: 2, Interesting
  
  Of course it would. But people have been asking for that since *IE 6* and/or earlier, I kid you not. If they allowed extensions people could do things such as : patch vulnerabilities themselves, allow things such as noscript, enable standards compliance. We're not talking about in modified versions of IE, it should be in the standard IE8 for the average non-techie user.
  you know, all the stuff that we've been asking for to be provided in Internet Explorer for years. I don't suspect that to ever happen, since they intend to stick with ActiveX.
21. Re:kettle/black by MadCow42 · 2009-09-24 03:46 · Score: 3, Funny
  
  >>Wrong. People in glass houses shouldn't undress.
  No - people in glass houses should undress... but people shouldn't buy glass houses unless they're hot 21-year-old nurses.
  
  --
  I used to have a sig, but I set it free and it never came back.
22. Re:kettle/black by aztektum · 2009-09-24 04:10 · Score: 2, Funny
  
  Bah, If I wanted to see that, I'd just undress a Barbie doll.
  
  --
  :: aztek ::
  No sig for you!!
23. Re:kettle/black by the_B0fh · 2009-09-24 04:24 · Score: 4, Interesting
  
  gee, and it really helps your case when the Microsoft rep on the HTML5 was one of the key people delaying the standard, isn't it?
24. Re:kettle/black by thejynxed · 2009-09-24 05:06 · Score: 2, Interesting
  
  There is an extension for IE that might fit what you are looking for:
  http://adblockie.codeplex.com/
  It also has the benefit of being Open Sauce for you guys who like to tinker with code.
  There will never be an AdBlock or AdBlock+ for IE from the original authors. Those extensions rely on XUL and Javascript to make Firefox do what they want. Extensions for IE have to be programmed in a language like C++ and compiled into binary blob, and can only use pre-defined hooks into the browser.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
25. Re:kettle/black by igaborf · 2009-09-24 05:20 · Score: 4, Funny
  
  Even if that person is Bree Olson?
  Gah, knew I shouldn't have googled her at work.
  You misspelled "ogled."
26. Re:kettle/black by mftb · 2009-09-24 05:28 · Score: 2, Insightful
  
  Server-side language choice isn't at all a browser issue. Also, Mr. AC, other than microsoft's own PR, can you cite any security problems here? Sure, they're introducing a new rendering engine that will undoubtedly have its own security problems, but they don't combine with IE's rendering engine's problem since only one of them is being used at a time.
27. Re:kettle/black by ae1294 · 2009-09-24 05:31 · Score: 2
  
  And where are these supposed vulnerabilities, anyway? If Microsoft wanted IE to be secure they'd abandon hActive-X and drop j-script in favor of javascript.
  I don't know why anyone but the ignorant would run IE. It (and all of Microsoft's offerings) have always been less secure than just about everyone else's.
  I see no trolling here... Slashdot is going to die if the corporation that owns it doesn't start dealing with the horrible mod problem.
  Active-X is and always has been a huge problem and Microsoft products in general have shown themselves to be less secure. Why that might be is open to debate but anyone who ever works on a "normal" persons computer should have noticed that people who us IE always have mind blowing amounts of spyware and those that have been forced to use some other browser (by me) never have the same level of infection if anything at all.
  I'd also like to take a moment to yell at Adobe for it's FLASH and PDF exploits...
28. Re:kettle/black by jhfry · 2009-09-24 06:33 · Score: 2, Insightful
  
  Actually... no.
  1 - IE's renderer has holes.
  2 - Chrome's renderer has (I believe) fewer holes (because it is not as tied to the OS).
  3 - Only 1 renderer will be used to render a malicious page.
  If 2 and 3 are true, then it follows that when Chrome's renderer is used, the browser is actually more secure.
  Of course this is highly dependent upon the level of communication between the browser and the renderer. I suspect that it is very minimal ( button clicks, bookmarks, etc.) as tight integration would be unnecessary, costly, and more difficult to maintain.
  I think I will take the stance that using the chrome renderer on the IE browser will make a more secure online experience... and I will tell people such until someone can convince me that I am wrong. Microsoft's argument is like saying that Windows and McAfee AntiVirus make a system less secure than Windows by itself because McAffee increases the attack area, which it technically does.
  
  --
  Sometimes the best solution is to stop wasting time looking for an easy solution.
29. Re:kettle/black by Blakey+Rat · 2009-09-24 08:55 · Score: 3, Funny
  
  IE already has extensions, it has for AGES. At least since IE 5.5.
  How do you think Google Toolbar runs in IE? Magic? Powdered unicorn horn? Hell, THIS VERY SLASHDOT STORY is about an IE extension.
  What the hell drug did Mozilla give everybody to make them think IE doesn't have extensions? I feel like I'm the last human left and everybody else has been replaced by body-snatchers!!
  
  --
  Comment of the year
30. Re:kettle/black by gig · 2009-09-24 15:20 · Score: 3, Interesting
  
  IE8 is terrible. It is 2x slower than every other browser and it has no HTML5 features. It's only good when compared to IE6 from 2001. Also, IE8 is over 25 megabytes and runs only on Wintel. For comparison, WebKit is 5 megabytes and runs on Windows, Mac, Linux and on x32, x64, PowerPC, and ARM.
  There is just no excuse for the low quality of Internet Explorer. Microsoft has been at this longer than any other browser maker. Safari is from early 2003, Firefox from late 2004, Chrome from 2008, but IE is from 1995. That is a dramatic head start and yet IE8 is way, way behind the other browsers.
Friends? by Jeoh · 2009-09-24 01:00 · Score: 5, Funny

Friends don't let friends use Internet Explorer anyway.
1. Re:Friends? by Mikkeles · 2009-09-24 01:02 · Score: 5, Funny
  
  'This is not a risk we would recommend our friends and families take.'
  They have friends, much less family?
  
  --
  Great minds think alike; fools seldom differ.
2. Re:Friends? by Enderandrew · 2009-09-24 02:02 · Score: 4, Interesting
  
  I read a fantastic interview with one of the lead IE developers as they were prepping the launch of IE 7. He said his daughter came home from school one day and asked him if he was responsible for breaking the web.
  In the interview, he seemed to imply the current IE team feels guilty and responsible for previous versions being so poor in standards compliance, and that the new developers were pushing to make IE more complaint in the future.
  Technically, they have succeeded. IE 7 and 8 are more complaint. They still however are not very compliant on the whole.
  So yes, they have families. And even their beloved daughters call them out for IE's problems.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
3. Re:Friends? by pacinpm · 2009-09-24 02:26 · Score: 5, Funny
  
  I find the lack of mention of children and terrorists disturbing.
4. Re:Friends? by benwiggy · 2009-09-24 02:42 · Score: 4, Funny
  
  ...the new developers were pushing to make IE more complaint in the future.
  Technically, they have succeeded. IE 7 and 8 are more complaint.
  Feel the delicious irony from an incorrect vowel transposition!
5. Re:Friends? by vtcodger · 2009-09-24 02:54 · Score: 3, Informative
  
  There are standards for HTML? Who knew?
  FWIW, as of this morning, the W3C Validator [http://validator.w3.org] reports
  www.google.com ------------ 39 Errors, 2 warning(s)
  www.microsoft.com -------- 300 Errors, 31 warning(s)
  www.apple.com -------------- 6 Errors, 1 warning(s)
  www.bing.com -------------- 12 Errors
  http://validator.w3.org/ ------ Sorry! This document can not be checked
  www.slashdot.org ---------- 64 Errors, 2 warning(s)
  And don't those web page designers who are "dancing for joy" deserve a bit of credit for this shambles? I'd like to believe that they won't immediately start using features that work in chrome, but not IE because "all the user has to do is download a plugin." But if past experience is any guide, that is exactly what many of them will do.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
6. Re:Friends? by ajs · 2009-09-24 08:57 · Score: 2, Informative
  
  For www.google.com the validator says:
  
  Using experimental feature: HTML5 Conformance Checker.
  I think it's kind of unfair to cite statistics without being clear about the limitations of the tools used.
Well yes by Canazza · 2009-09-24 01:01 · Score: 4, Funny

Ofcourse it makes it less secure, it lets you run Javascript faster, so that all those drive-by malware installers can execute faster!

--
It pays to be obvious, especially if you have a reputation for being subtle.
1. Re:Well yes by Captain+Hook · 2009-09-24 02:06 · Score: 4, Insightful
  
  I thought plug-ins/add-ons ran as part of the host browsers CPU process, and thus if IE is sandboxed wouldn't Chrome also be sandboxed?
  
  --
  These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
2. Re:Well yes by Anonymous Coward · 2009-09-24 02:18 · Score: 2, Informative
  
  For IE that's true - plugins run in the sandbox.
  For Chrome (the full browser) it's not - in Chrome, plugins run out of the sandbox (their sandbox is only for the renderer).
  I believe the issue here is that the Google Chrome plugin bypasses IE's anti-malware filter (SmartScreen) and the IE phishing filter, both of which have been shown to be better than Google's equivalent (there are numerous reports that show this, the most recent from NSS).
  That's why MSFT is complaining about the chrome plugin decreasing the security of IE users.
3. Re:Well yes by cbhacking · 2009-09-24 02:49 · Score: 2, Informative
  
  Depends on implementation (for some time, Flash installed an exemption for itself that let it use a broker process to get out of Protected Mode without letting the user know) but by default, yes, IE plugins have the same sandboxing as the browser itself.
  
  --
  There's no place I could be, since I've found Serenity...
Well they would say that wouldn't they by Chrisq · 2009-09-24 01:01 · Score: 5, Informative

What do you expect; "This is great now our customers can access standards-compliant sites and have a faster, smoother web experience"?
1. Re:Well they would say that wouldn't they by jgardia · 2009-09-24 01:09 · Score: 5, Funny
  
  I was expecting "Microsoft Says Google Chrome Frame Makes IE even Less Secure"
2. Re:Well they would say that wouldn't they by MadKeithV · 2009-09-24 01:34 · Score: 5, Insightful
  
  "Microsoft pretends IE could possibly be made less secure by changing anything about it."
3. Re:Well they would say that wouldn't they by c-reus · 2009-09-24 01:49 · Score: 2, Insightful
  
  "Microsoft releases new critical IE patch that accidentally disables the Chrome Frame"
Security issues with Google Chrome? by commodore64_love · 2009-09-24 01:02 · Score: 4, Insightful

Dear Microsoft:
Citation please. Evidence. Facts. Or retract.
'k thanks,
Google

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
1. Re:Security issues with Google Chrome? by selven · 2009-09-24 01:13 · Score: 5, Insightful
  
  Google has a horrible history with security?
2. Re:Security issues with Google Chrome? by ShadowRangerRIT · 2009-09-24 01:18 · Score: 5, Interesting
  
  Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.
  Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
3. Re:Security issues with Google Chrome? by ByOhTek · 2009-09-24 01:19 · Score: 3, Informative
  
  Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
  While this is still better than the track record on many MS products, it still leads me to suspect the security of Google. Face it, they are good at distributing information, not hiding it... Now, unless *EVERY* Google security hole is already in IE, new holes will be added.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
4. Re:Security issues with Google Chrome? by Svartalf · 2009-09-24 01:24 · Score: 2, Insightful
  
  Humor: (Noun)
  1. a comic, absurd, or incongruous quality causing amusement: the humor of a situation.
  2. the faculty of perceiving what is amusing or comical: He is completely without humor. (Something you seem to lack yourself...)
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
5. Re:Security issues with Google Chrome? by Anonymous Coward · 2009-09-24 01:30 · Score: 5, Informative
  
  Citation please.
  http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php
  http://news.cnet.com/8301-1009_3-10226578-83.html
6. Re:Security issues with Google Chrome? by horatio · 2009-09-24 01:37 · Score: 2, Insightful
  
  Wait, isn't it Microsoft that silently installs a plugin into Firefox during a Windows update session, and disables the "uninstall" functionality? Guy has some nerve to stand around and wag his finger at Google.
  
  --
  There is very little future in being right when your boss is wrong.
7. Re:Security issues with Google Chrome? by beelsebob · 2009-09-24 01:47 · Score: 4, Insightful
  
  Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
  So yes, microsoft is right, but rather missing the point... If you're using a chrome frame, you're probably not using IE frames, which means that you're as secure as WebKit's security flaws.
  Why you'd do that rather than just using chrome I have no idea though.
8. Re:Security issues with Google Chrome? by Spy+der+Mann · 2009-09-24 01:49 · Score: 5, Funny
  
  News: Vulnerability in google chrome
  News: Vulnerability in Mozilla Firefox
  News: Some part of Internet explorer is safe!
  See? :)
9. Re:Security issues with Google Chrome? by Jezza · 2009-09-24 01:50 · Score: 2, Insightful
  
  Given that this is IE6, I think any talk about security is somewhat moot. Unless I don't understand it, this should make IE6 more secure - Chrome after all is a "modern" browser, and the page will be run inside that, and not actually touch the rest of IE6's feature set. I really don't see this at all, it strikes me that this is FUD. Maybe I'm missing the point here.
  Anyway, if users actually cared about security they'd not be running IE6 - even Microsoft see the upgrade from that as "critical".
10. Re:Security issues with Google Chrome? by SanityInAnarchy · 2009-09-24 01:55 · Score: 4, Insightful
  
  Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
  Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
  It can be as simple as using https://mail.google.com/
  
  --
  Don't thank God, thank a doctor!
11. Re:Security issues with Google Chrome? by Anonymous Coward · 2009-09-24 01:59 · Score: 3, Insightful
  
  Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
  Your premise is wrong, hence your argument is wrong. All those goof-ups were not with the gmail you use, or the google docs you use. They were with contractual installations in colleges, etc. It's really like saying "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
12. Re:Security issues with Google Chrome? by Ephemeriis · 2009-09-24 02:13 · Score: 2, Informative
  
  Every 6 months to a year it seems there is yet another goof up that lets users access other users email (gmail) or data (google docs).
  Unless I'm missing something, most of this revolves around users accessing their data through HTTP over insecure wireless, neither of which is required by Google.
  It can be as simple as using https://mail.google.com/
  There's even a handy little checkbox in the Gmail options to always use HTTPS.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
13. Re:Security issues with Google Chrome? by D+Ninja · 2009-09-24 02:45 · Score: 2, Insightful
  
  "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
  ...but...we do say that around here...
14. Re:Security issues with Google Chrome? by vitaflo · 2009-09-24 03:12 · Score: 5, Insightful
  
  Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.
  It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.
15. Re:Security issues with Google Chrome? by SanityInAnarchy · 2009-09-24 03:13 · Score: 2, Informative
  
  And one which can be applied domain-wide, if you've got apps for your domain.
  
  --
  Don't thank God, thank a doctor!
16. Re:Security issues with Google Chrome? by jellomizer · 2009-09-24 04:14 · Score: 2, Insightful
  
  Dear Microsoft,
  ActiveX.
  I told you back in the 90's it was a bad idea. So did the rest of us. But did you listen... No.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
17. Re:Security issues with Google Chrome? by pyrbrand · 2009-09-24 04:46 · Score: 2, Interesting
  
  Besides the obvious (you have all the surface area of Chrome and IE together in the browser), there are a lot of questions I have about whether and how it respects IE's security settings, privacy settings, site filtering settings, no-script settings, script debugger settings and on and on. People can joke about how early versions of IE had huge security issues, but all the mitigations and fine grained control over what a page can and cannot do, as well as group policies put in place for sys-admins at corporations trying to protect their intranets are important. Maybe Chrome Frame plays nice with these, maybe they don't. My guess is that it doesn't handle every one of them with grace. (Disclaimer, I work at MS, but am not on the IE team).
18. Re:Security issues with Google Chrome? by onefriedrice · 2009-09-24 05:06 · Score: 2, Insightful
  
  It's really like saying "Oh, hey, MS Exchange in X college got hacked, MS's security sucks!"
  Err... what's wrong with saying that? If MS Exchange is hacked because of a vulnerability in Exchange, then there's nothing wrong with saying that MS's security sucks. Likewise, if Google's service shares your emails with more people than you had in mind (whether or not it's a vulnerability with the public gmail or their private email service--and there have been problems with both), then what's wrong with saying Google's security sucks? Nothing, unless there's some sort of double-standard your are trying to promote.
  
  The only discussion down this avenue that is worth discussing is concerning the overall security provided by both MS and Google, relative to each other. Personally, I would wager that Google probably trumps MS in several security categories, but I haven't looked at any research, therefore this assertion is based mostly on my own observations and biases.
  
  --
  This author takes full ownership and responsibility for the unpopular opinions outlined above.
19. Re:Security issues with Google Chrome? by Rockoon · 2009-09-24 06:30 · Score: 2, Interesting
  
  Dear jellomizer,
  
  This is essentially the same thing as an ActiveX component, with the exception that it doesn't use the COM+OLE framework to "plug in." This exception isn't very meaningful. The fact is that in both cases you are downloading a binary which then gets conditionally executed based on commands given in an HTML document.
  
  My beef with google here is that it looks like they are poised to lock in their own lack of standards compliance on us all (no rendering engine is 100% standards compliant, they all do some things slightly differently) Once this plugin gets installed on IE users machines, they have anchored us all to whatever rendering bugs that plugin has through market share. Will Mozilla or Opera dare to improve their rendering engines to be more-compliant if they then render differently to both webkit AND IE+webkit?
  
  This is an end-run around free market competition. Instead of letting IE die on its lack of merit, they are screwing over Firefox and Opera, making them play follow-the-leader when that lead isnt based solely on merit.
  
  I for one will be quite surprised if Opera is supported at all in the next wave (pun intended) of google apps, even though there is plenty of stuff Opera does right that none of the other browsers do (yes, theres stuff it does wrong too where webkit does it right)
  
  --
  "His name was James Damore."
I agree by kimvette · 2009-09-24 01:02 · Score: 4, Insightful

This is not a risk we would recommend our friends and families take.""
. . . which is why one should run Firefox, konqueror, Mozilla, or Opera on Linux, Solaris, or BSD instead.

--
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
1. Re:I agree by kimvette · 2009-09-24 04:23 · Score: 2, Informative
  
  crossover office will run MS office, the Adobe creative suite, and so forth very, very well. I no longer use MS Office at all, but I do use Photoshop and Illustrator on occasion, and I use esword on Linux all the time. The only things I cannot run that I need on Linux are embroidery applications (need "real" USB support for the machine) and I cannot run some games. At the office I can't run Quickbooks on Linux.
  Many proprietary commercial apps DO run on Linux through WINE or one of the commercial variants.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
It's alright by Anonymous Coward · 2009-09-24 01:04 · Score: 5, Funny

I'm not Microsoft's friend or family.
Of course by PhasmatisApparatus · 2009-09-24 01:04 · Score: 5, Insightful

Of course it doubles the attack rate of malicious scripts... It makes Javascript run twice as fast.

In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.
1. Re:Of course by tolan-b · 2009-09-24 01:27 · Score: 2, Insightful
  
  Attack surface not attack rate..
Thanks by Anonymous Coward · 2009-09-24 01:06 · Score: 5, Insightful

You just made one of the most important arguments against Silverlight official.
1. Re:Thanks by Yvan256 · 2009-09-24 01:15 · Score: 4, Funny
  
  Not only an argument directly from Microsoft against Silverlight but also against Flash!
  Why is Microsoft helping us like that?
Textbook FUD by Lemming+Mark · 2009-09-24 01:09 · Score: 4, Interesting

"Given the security issues with plugins in general and Google Chrome in particular"
O RLY?
I'm happy to believe that IE8 actually has a good security model. I'm happy to believe that Chrome is not without flaws. But, really, Google have gone through fairly considerable pain and implemented quite strict sandboxing techniques for Chrome, to contain any problems in the renderer. It's pretty solid. Maybe it's better than IE8, maybe not. But just hand waving and going "Oh yes, *especially* Chrome" as if it's common knowledge that it's insecure is simply FUD.
The point about increasing the attack surface area seems more valid, perhaps, though it really depends on how this plugin works. If there are really twice as many places available at once then yes, that is a worry. If you'd have to get through Chrome's security and then through IE8's security, that actually sounds quite good. Possibly the biggest security worry I see is in encouraging users to think that installing a large, scary plugin that basically replaces the guts of their browser is a normal occurrence that will make their internet experience better.
1. Re:Textbook FUD by selven · 2009-09-24 01:15 · Score: 2, Insightful
  
  You're not just adding the security of Chrome and IE, you're adding their insecurity as well.
2. Re:Textbook FUD by Just+Some+Guy · 2009-09-24 01:28 · Score: 4, Insightful
  
  I'm happy to believe that IE8 actually has a good security model.
  And I thought that included sandboxing plugins? How can any plugin be a serious security threat with MS went through such pains to make IE bulletproof?
  
  --
  Dewey, what part of this looks like authorities should be involved?
3. Re:Textbook FUD by amoeba1911 · 2009-09-24 02:51 · Score: 2, Insightful
  
  You can't add security, you can only add insecurity. A system is as secure as the weakest point of entry.
  That having been said, all plug-ins reduce security, including Flash and Silverlight, this is no different.
Double Standards by Anonymous Coward · 2009-09-24 01:12 · Score: 5, Insightful

So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.
1. Re:Double Standards by Anonymous Coward · 2009-09-24 01:44 · Score: 2, Funny
  
  Well, yes, you see, the .NET plug-in was meant to increase compatibility without increasing the risk of attack vectors.
  Trust us, we know what is good for you,
  Microsoft
2. Re:Double Standards by gabebear · 2009-09-24 01:58 · Score: 5, Informative
  
  They not only add the .Net plugin to Firefox without asking you, they change the useragent string for Firefox... oh and the .Net plugin doesn't have a built-in uninstaller like every other plugin.
  
  I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html
Ingrates! by dangitman · 2009-09-24 01:13 · Score: 3, Funny

a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night.
Dancing Developers?? Get back to developing webs, like you're supposed to be doing! Didn't anybody tell you that you are no good at dancing?

--
... and then they built the supercollider.
Re:I'm Taking Notes by siddesu · 2009-09-24 01:13 · Score: 3, Funny

Sweet Shimmer Glitter Lube. In juicy apple, boysenberry, pink champagne or pina colada.
By that logic... by MoOsEb0y · 2009-09-24 01:23 · Score: 2, Insightful

... we should ban flash, acrobat reader, quicktime, and dozens of other plugins that all have regularly reported vulnerabilities.
Risk? I'll give you risk... by pbhogan · 2009-09-24 01:25 · Score: 2, Funny

Microsoft is not a risk we would recommend our friends and families take.
Families by Thanshin · 2009-09-24 01:26 · Score: 5, Funny

This is not a risk we would recommend our friends and families take.
Especially the children. Think of the children!
He should have used "mortal danger" instead of simply "risk". Also, change "would recommend" for "let". And add some exclamations, for god's sake, this is serious.
Thus, the closing sentence should be:
"This is not a mortal danger we let our children take!"
However, once you've decided to push factless crap with fear mongering, at least do it with style.
I recommend:
"If you allow your children to install the google demon, your entire family will suffer an eternity of pain, in HELL!"
My family disowned me after I installed it. by lawnsprinkler · 2009-09-24 01:28 · Score: 4, Funny

"This is not a risk we would recommend our friends and families take." The Microsoft representative further stated that "Allowing your children to use the Google Chrome Frame plugin is tantamount to child abuse. In fact, we're not so sure that anyone installing this is truly capable of feeling love. What kind of heartless monster would willingly install this on their loved ones' browser?"
What about Flash? by Anonymous Coward · 2009-09-24 01:28 · Score: 2, Insightful

".... has doubled the attack area for malware and malicious scripts."
Can't the same thing be said about the Flash Player Plugin?
Oh please by gibbo2 · 2009-09-24 01:28 · Score: 2, Insightful

Because people still using IE6 are really worried about their browser security...
Thanks Microsoft... by MickyTheIdiot · 2009-09-24 01:30 · Score: 4, Interesting

I heard about this but I wasn't going to install it yet. I don't use a lot of I.E. stuff, but what I do is Javascript intensive, so now that I know that your don't like it at Microsoft I have now installed it. Thanks for the heads up... since you don't like it there must be a reason to give it a look.
Sounds to me that Microsoft... by dgun · 2009-09-24 01:37 · Score: 5, Insightful

..is scared.

So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?

--
FAQs are evil.
1. Re:Sounds to me that Microsoft... by Just+Some+Guy · 2009-09-24 07:37 · Score: 2, Insightful
  
  Yes... because Microsoft makes piles of money off of Internet Explorer.
  In the low billions of dollars, at least. I know plenty of corporate types who are locked into Windows solely because of internal web apps that are hardcoded against IE6 or older. Unsurprisingly, IT doesn't want to pay for a beefier desktop machine for them to run their OS of choice plus a licensed copy of Windows in a VM just so they can access a certain site plus having to support twice the software for each person using such a system.
  
  --
  Dewey, what part of this looks like authorities should be involved?
I have great respect for Google by Cro+Magnon · 2009-09-24 01:37 · Score: 3, Funny

But I doubt that even they could make IE less secure than it already is.

--
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
What about Silverlight? by robmv · 2009-09-24 02:07 · Score: 2, Insightful

applying the same crazy MS thoughts, then Silverlight make IE less secure
Friends and family by 93+Escort+Wagon · 2009-09-24 02:09 · Score: 3, Insightful

Well of course Microsoft "doesn't recommend" their friends and family use the Chrome plugin. If they did, next thing you know their friends and family are down at the T-Mobile shop eying Android phones, or over at the Apple Store snapping up an iPhone. As long as those friends and family are only exposed to Microsoft products, they'll never realize that the grass, indeed, really is greener on the other side of that fence - because those other guys actually feed and water their lawn!

--
#DeleteChrome
Actually MS is right. by Deathlizard · 2009-09-24 02:12 · Score: 5, Insightful

By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.

--
In Soviet Russia, Trojan exploits YOU!
1. Re:Actually MS is right. by RareButSeriousSideEf · 2009-09-24 02:40 · Score: 4, Informative
  
  +1.
  I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing. The point is just that no browser is by itself a silver bullet of invulnerability, especially when plugins and external runtimes are involved.
  Now I run Chrome standalone with the -disable-java command line switch to cut the attack surface down a bit. It's not as versatile as NoScript in FF, but you can run Chrome instances with javascript, plugins, etc. disabled on an individual basis. A list is at http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/.
  
  --
  Pi Ran Out
2. Re:Actually MS is right. by mcrbids · 2009-09-24 06:08 · Score: 2, Insightful
  
  I actually got one of my systems pwned (for the first time in > 10 years) via Chrome, in incognito mode no less. Not saying that any other browser would have stopped it, least of all IE; it was a Java -- not javascript -- vulnerability... http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]. This vulnerability allowed an applet to escape both Chrome's and Java's sandboxing.
  ... and the fact that this happened while you were using Chrome's "incognito mode" is a good indication of the types of sites that you were visiting when this happened.
  Look - wearing a bullet-proof vest does offer a degree of protection greater than normal clothing, but that doesn't mean that you should be walking around the red-light district of Oakland, CA after dark. You can still get knifed, kidnapped, or shot in the head. It also won't protect you from the impact of hitting the ground after jumping out of an airplane without a parachute.
  No tool is invulnerable, and no tool will protect you from risky behavior.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
Re:kettle/black Re:AdBock for chrome / IE by Anonymous Coward · 2009-09-24 02:26 · Score: 2, Informative

You should check out Privoxy as an AdBlock replacement, it runs as a daemon / service, so it'll work with _any_ browser you use.
Mistaken market. by neo · 2009-09-24 03:56 · Score: 3, Insightful
Google is not in the business of providing searches. Google is in the business of selling ads. It just happens that having the best search gives you more eyeballs on your ads. They leverage that advantage to gain share in other markets. It does sound like another company I've heard about.
But you're on target here, this is obviously not comfortable for Microsoft. Five years ago they wouldn't have even bothered to issue a response. This is the kind of press release that is pure fear.
Someone has made a plug-in for your browser that makes it 8X faster.
- It shows incompetence of your developers that someone else had apparently patched your buggy/slow software.
- Eventually people learn that it's actually another browser. Most people don't even know what a browser is.
- Why use something in emulation when you can run the real thing? People will switch.
It's something I said a long long long time ago. What can kill Microsoft? Something free.