Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Google Chrome Frame Makes IE Less Secure

Posted by CmdrTaco on from the less-secure-than-what-exactly dept.

Mark writes "The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure. 'With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,' a Microsoft spokesperson told Ars. 'Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.'"

24 of 459 comments (clear)

  1. kettle/black by Anonymous Coward · · Score: 5, Funny

    stones/glasshouses

    1. Re:kettle/black by ta+bu+shi+da+yu · · Score: 5, Insightful

      I know. Ho hum. Someone tell Microsoft to wake me up when they get around to actually making a decent browser. How many years has it been? 13 years?

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:kettle/black by Vindicator9000 · · Score: 5, Funny

      But really, no one should throw stones, right? As a kid, I was always taught that it's not nice to throw stones at people. Unless of course, you were trapped in a glass house and needed to get out. If you have a pile of stones next to you, go ahead and throw them. Then you won't be trapped anymore! So really, people in glass houses are the only ones who should throw stones. Right?

    3. Re:kettle/black by Chabil+Ha' · · Score: 5, Insightful

      Perhaps you don't remember, but IE 5 was LIGHTYEARS ahead of Netscape.

      Great, that happened *ten* years ago. What has happened since? They've been chasing the Fox for past *five* years.

      --
      We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
    4. Re:kettle/black by Kagetsuki · · Score: 5, Informative

      IE 5 was great, but MS making IE5 great and taking the market lead seems to have given them the idea that they could implement their own features all on their own and make everyone conform to their standards, which they are still doing now. The thing is the way Internet explorer implemented a lot of features gave a lot of things that just couldn't be easily done or done at all until HTML5 was actually adopted. The problem there is that HTML 5 took forever. Evolution of the web by its own standards committee has been gruelingly slow and the massive amount of garbage that has come out in-between and the amount of junk included in HTML 5 itself is astounding. Even if you could say some new features submitted are great there is just so much overlapping of features it's hard to tell what is the best way to do anything now. Do you write a site with canvas and hope people using IE will install chrome frame? Do you write two versions of the same site, one using "standard" HTML 5/XML Namespaces/SVG/Canvas and one using whatever Microsoft developed 5 years ago to achieve the same thing but in the Microsoft way? Speaking of SVG, the Adobe SVG plugin for IE can't read modern SVG files and the google SVG to flash translator breaks if you use any other new web technology with it (xlink for example). And don't even get me started on how terrible Flash is, it's just depressing. Java web launch? Has anybody even heard of it? How many general PC users even have the Java plug-in properly installed (I'm betting 3 year old can count that high)? The internet sucks and it sucks in two different directions: the "anything goes and we'll do whatever we want Microsoft direction" and the "we'll do everything you want but we'll fight about how to do it for 5 years, then never actually call the standard finalized so we can just arbitrarily change it and if any browser developers complain we'll just tell them they shouldn't have implemented it if it wasn't finalized" W3C/Gecko/Webkit/Opera direction.

      Maybe we should just start over completely. Make a new standard that doesn't rely on the rigid and inflexible concept of tags and use a scripting language and have a standard API. Leave HTML for TEXT formatting, and return it back to a document formatting language, leaving dynamic content to a totally separate system....

  2. Friends? by Jeoh · · Score: 5, Funny

    Friends don't let friends use Internet Explorer anyway.

    1. Re:Friends? by Mikkeles · · Score: 5, Funny

      'This is not a risk we would recommend our friends and families take.'

      They have friends, much less family?

      --
      Great minds think alike; fools seldom differ.
    2. Re:Friends? by pacinpm · · Score: 5, Funny

      I find the lack of mention of children and terrorists disturbing.

  3. Well they would say that wouldn't they by Chrisq · · Score: 5, Informative

    What do you expect; "This is great now our customers can access standards-compliant sites and have a faster, smoother web experience"?

    1. Re:Well they would say that wouldn't they by jgardia · · Score: 5, Funny

      I was expecting "Microsoft Says Google Chrome Frame Makes IE even Less Secure"

    2. Re:Well they would say that wouldn't they by MadKeithV · · Score: 5, Insightful

      "Microsoft pretends IE could possibly be made less secure by changing anything about it."

  4. It's alright by Anonymous Coward · · Score: 5, Funny

    I'm not Microsoft's friend or family.

  5. Of course by PhasmatisApparatus · · Score: 5, Insightful

    Of course it doubles the attack rate of malicious scripts... It makes Javascript run twice as fast.

    In other news, Microsoft has said that Moores Law is a security risk, because viruses can install themselves twice as fast every 18 months.

  6. Thanks by Anonymous Coward · · Score: 5, Insightful

    You just made one of the most important arguments against Silverlight official.

  7. Double Standards by Anonymous Coward · · Score: 5, Insightful

    So... forcing the .NET plug-in on Firefox users was OK, but a voluntary add-on from Google is a security risk? Good to know.

    1. Re:Double Standards by gabebear · · Score: 5, Informative

      They not only add the .Net plugin to Firefox without asking you, they change the useragent string for Firefox... oh and the .Net plugin doesn't have a built-in uninstaller like every other plugin.

      I thought I had a virus the first time I noticed it. http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html

  8. Re:Security issues with Google Chrome? by selven · · Score: 5, Insightful

    Google has a horrible history with security?

  9. Re:Security issues with Google Chrome? by ShadowRangerRIT · · Score: 5, Interesting

    Well, technically, they may be right. It does lead to more attack surface, and many plugins have permissions the browser doesn't allow itself. And Microsoft product security has increased, to the point where I'm fairly confident that the security risks of their Javascript interpreter are comparable with other major browsers. And unless Google *forces* updates to the plugin, security patches will never be applied; few people run Windows Update, but even fewer update non-MS products.

    Of course, those arguments mostly argue for rejecting the *plugin*. *Replacing* IE8 with Chrome (or your browser of choice) means you have only one program's attack surface to worry about again. I'm guessing this is the unspoken part of MS's argument.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  10. Families by Thanshin · · Score: 5, Funny

    This is not a risk we would recommend our friends and families take.

    Especially the children. Think of the children!

    He should have used "mortal danger" instead of simply "risk". Also, change "would recommend" for "let". And add some exclamations, for god's sake, this is serious.

    Thus, the closing sentence should be:
    "This is not a mortal danger we let our children take!"

    However, once you've decided to push factless crap with fear mongering, at least do it with style.

    I recommend:
    "If you allow your children to install the google demon, your entire family will suffer an eternity of pain, in HELL!"

  11. Re:Security issues with Google Chrome? by Anonymous Coward · · Score: 5, Informative

    Citation please.

    http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php

    http://news.cnet.com/8301-1009_3-10226578-83.html

  12. Sounds to me that Microsoft... by dgun · · Score: 5, Insightful

    ..is scared.

    So Microsoft, how does it feel? How does it feel to have a big bad company with a near monopoly in one market (Google in search) threaten your stake in a different market (browsers)?

    --
    FAQs are evil.
  13. Re:Security issues with Google Chrome? by Spy+der+Mann · · Score: 5, Funny

    News: Vulnerability in google chrome
    News: Vulnerability in Mozilla Firefox
    News: Some part of Internet explorer is safe!

    See? :)

  14. Actually MS is right. by Deathlizard · · Score: 5, Insightful

    By running this plugin, you would be exposing yourself to not only Possible IE exploits, but possible Chrome Exploits as well. It would be much safer to run the Chrome browser standalone since it reduces the attack surface. It would probably be faster standalone too.

    --
    In Soviet Russia, Trojan exploits YOU!
  15. Re:Security issues with Google Chrome? by vitaflo · · Score: 5, Insightful

    Inciteful as the statement is, it's true... There's no way it can be false. A browser containing IE's engine *and* WebKit has all the security holes from both, and all the security holes gained in pushing one into the other.

    It's also true for any plug in you use in IE. I'm curious if MS would say the same about Flash, Java, etc? Because they all introduce their own security problems in IE in a similar way as Chrome Frame. The fact that MS is singling out Chrome Frame says more about how MS feels about Google than it does about the security of their browser.