MS Finds Security Flaw In Google Chrome Frame

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

Re:At least they patched it

[Tim+C]

Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

Re:Expected

[Ginger+Unicorn]

At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.

Re:At least they patched it

[Nerdfest]

The exploit usually comes before the fix, but not always. Firefox frequently deploys fixes for security hole they've found themselves where not even a 'proof of concept' exists. Many other applications are the same.

Re:At least they patched it

I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.

I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.

Re:At least they patched it

[Gadget_Guy]

And not wait another week until it's patch-Tuesday.

How do you know exactly when the bug was first reported to Google? For all you know, they may have sat on the problem for a month.

It seems that they did batch the updates together, because this update to version 4.0.245.1 fixes 9 different issues.

Re:At least they patched it

Microsoft will release a patch "out of band" (not on patch Tuesday) when it is an emergency critical type issue. The others, they release on the same day so that corporations get the benefit of a single set of patches to look for and home users get all the patches with one reboot instead of a dribble of patches over the month, some of which require a reboot and some of which don't.

Delayed full disclosure

[tepples]

Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.

Really?

[celt63]

Perhaps MS should be more concerned about their own protocols.

"Most secure Os ever;
What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How funny."

http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

Mod Parent Up, Grandparent Down

[Crazy+Taco]

Clearly this person has no clue as to what ASP is.

Absolutely true. As a web-developer, let me clue you (the grandparent) in... ASP is a server side programming language used to create HTML based web pages on the fly. It is exactly the same kind of technology as PHP... it's on the server and, and the client has no knowledge of it. All it gets is HTML, and it doesn't care whether it was static or created by PHP or ASP on the fly.

And just to add to the chorus, I have viewed many a webpage that was generated by ASP using firefox.