Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Finds Security Flaw In Google Chrome Frame

Posted by timothy on from the they're-the-experts dept.

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

28 of 214 comments (clear)

  1. Expected by Stratoukos · · Score: 1, Insightful

    I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

    --
    It may be 7 digits, but at least it's a semiprime
    1. Re:Expected by Jojoba86 · · Score: 2, Insightful

      Great thing is even if they'd done the alternative and decided not to look for security flaws they can still get a bashing from the pro-Google crowd! Either way Microsoft loses!

    2. Re:Expected by MrMista_B · · Score: 3, Insightful

      And Google doesn't have to pay them a cent. :)

    3. Re:Expected by Ed+Avis · · Score: 3, Insightful

      I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

      Heh. If so, it's a good reason to use Google Chrome Frame. A program that has an active bug-finding team is more trustworthy than one where bugs and security holes are hushed up.

      However, I don't think Microsoft would set out to help their competitor in this way.

      --
      -- Ed Avis ed@membled.com
    4. Re:Expected by calmofthestorm · · Score: 5, Insightful

      Hardly, they helped another company secure its product. Everybody wins!

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
    5. Re:Expected by Anonymous Coward · · Score: 1, Insightful

      A security hole was found, and was patched. Who cares what Microsoft's motives were? This is competition, and it's working!

    6. Re:Expected by sa666_666 · · Score: 3, Insightful

      Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate. You can bet that this whole situation is an embarrassment to Microsoft; it took another company to patch their software to work correctly, when they should have been able to do it themselves. Some egos were bruised in the process, and you can be damn well sure that there's a team willing to do everything they can to discredit Googles achievement.

      So while I commend Microsoft on doing some testing on Google Frame, I don't commend them on the reason for Google having to write the code in the first place. Not to mention that their motives are suspect as well. If they can find a bug so quickly, what's their excuse for having their other products so buggy?

    7. Re:Expected by spyrochaete · · Score: 3, Insightful

      Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate.

      Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.

      I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, but with warnings not to use the software in production. HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.

    8. Re:Expected by Arancaytar · · Score: 4, Insightful

      Good thing too. If competitors spent more time actively looking for bugs in each others' software instead of paying their marketroids to spread FUD, everyone would be better off.

    9. Re:Expected by Gadget_Guy · · Score: 5, Insightful

      I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

      In that case, why didn't Microsoft loudly announce it to the world and shame Google?

      Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.

      And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.

    10. Re:Expected by SkunkPussy · · Score: 2, Insightful

      I guess part of it is css support

      --
      SURELY NOT!!!!!
    11. Re:Expected by fuzzyfuzzyfungus · · Score: 4, Insightful

      Consider the landscape of alternatives, though.

      Web designers have, for years, been depending on functionality that isn't even on any kind of standards track, much less maturely standardized. We call it Flash(and to a lesser extent other "rich content" plugins; but mostly Flash). Web designers have, frequently, depended on it for all kinds of things, it is often considered a must-have for web browsers, and is every bit as ghastly, if not considerably more so, in implementation.

      By comparison, HTML5 is positively civilized. Chrome Frame is basically just an "HTML 5 Player" plugin, whose necessity will hopefully evaporate over time. It is, certainly, a kludge; but there are presently no alternatives to that. You can either give up broad swaths of web application features entirely, and deal with the oh-so-standard world of native application development; or base your webapp features on one or more plugins(flash, java, silverlight, etc.), or you can use HTML5 stuff.

    12. Re:Expected by natehoy · · Score: 4, Insightful

      You had me right up until "just to discredit them".

      Microsoft clearly was concerned that Frame would add to the possible attack vectors into IE. They've certainly said as much. And that is a valid concern, frankly. Due to that concern, they had their research team test for security vulnerabilities in Frame, obviously with particular focus on ones that could compromise a Windows system.

      And, whaddya know, they found one.

      Now, if they were trying to discredit Google, the first place they'd go is (MS)NBC and put out headlines "Google Chrome Frame Has a security breach! Look at those losers!"

      Instead, we see an announcement from Google that they have a patch for the defect, and acknowledging Microsoft as having found the bug and reported it to them.

      Sounds to me like Microsoft was acting out of enlightened self-interest, and is demonstrating good team-playing skills by telling Google about it in enough detail for Google to come out with a fast fix.

      Kudos to Microsoft for extending their security research beyond their own software and to external sources they might consider a threat. Further kudos to Microsoft for reporting the issue to Google with enough detail to make a fix possible, without exposing it to the black hats so this never became a zero-day attack.

      Kudos to Google for getting a fix out there quickly. Further kudos to Google for having the respect to acknowledge Microsoft's contribution.

      I'd say this is a perfect example of vendors being good players in the security arena, and respectful competitors.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    13. Re:Expected by spyrochaete · · Score: 2, Insightful

      I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?

      Google is shoehorning their own browser into their competitor's browser. This is the equivalent of Burger King selling their hamburgers inside a McDonalds restaurant. It's a very drastic move that goes too far in my opinion.

      Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our browsers wait for the final standards, that will slow the development process down. Now before you come flaming back at me, I'm not saying everything should be released bleeding edge, but there has to be some place in the middle that could be effective. You have to admit, IE hasn't had a stellar record of being a progressive, or even current browser.

      You're right that standards should be backed, but they're not standards until they are finalized. A standard means something that will not be changed, but if it's not finalized it could change at any minute. I don't think "being progressive" should be a priority of any web browser - reliability should be #1. I'm not going to make any statements about IE's track record concerning reliability, but I can empathize with Microsoft for their reasons why they made this decision.

  2. Awesome! by L4t3r4lu5 · · Score: 2, Insightful

    Now, can you please fix the sanitiser in the IE8 output encoding?

    So quick to point out mistakes in others software, but so slow to fix your own.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  3. Re:At least they patched it by heffrey · · Score: 4, Insightful

    Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!

  4. Re:At least they patched it by santax · · Score: 4, Insightful

    That is a small price to pay for an updated browser that is secure against attacks that already are in the wild. Remember: the exploit always comes before the fix.

  5. They were right by TheRaven64 · · Score: 3, Insightful

    The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.

    --
    I am TheRaven on Soylent News
  6. DOuble whammy from Google by argent · · Score: 3, Insightful

    Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.

    For example, FTA: "All users should be updated automatically,"

    Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.

    Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.

  7. Re:Dude by blowdart · · Score: 3, Insightful

    Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.

    Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?

  8. Shut up? by blowdart · · Score: 5, Insightful

    Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?

  9. Re:At least they patched it by santax · · Score: 4, Insightful

    I know where you going here. But smart criminals don't publish proof of concepts. They just exploit and hope no-one will find the same exploit so it won't be fixed. Therefor I still stand behind my golden rule of security: the exploit comes before the patch. Although I suppose I can alter it a bit. The hole is there before the fix.

  10. Re:At least they patched it by Anonymous Coward · · Score: 1, Insightful

    Then your distro is fucking retarded. The update mechanism in firefox can be and, on my distro is, disabled. File a bug report with your distro.

  11. theres a proverb by rossdee · · Score: 1, Insightful

    about removing the log from your own eye before removing the mote from your neighbours eye.

  12. This story should have been titled... by Dammital · · Score: 4, Insightful

    ... Microsoft security researcher confirms advantages of open source transparency

    1. Re:This story should have been titled... by nametaken · · Score: 3, Insightful

      Wow, congrats man... changing "MS finds security flaw in Google Chrome Frame" to "Microsoft security researcher confirms advantages of open source transparency" is a spin worthy of Fox News. You might have a future in public relations. :)

  13. Re:Dude by MrData · · Score: 2, Insightful

    What is surprising is that an Operating System vendor (Microsoft) has so poorly designed it product to allow an application (often running in user space) to access proctected resources.
    This violates the very definition of an Operating System, and what worse is that MS has done absolutely nothing to address these issues despite the vast resources at their disposal.

  14. Re:That's a good thing! by Anonymous Coward · · Score: 1, Insightful

    MSVR is dedicated to finding security issues in THIRD PARTY systems that are in common use today in a bid to improve the overall effective security of the windows platform.

    The reason should be pretty obvious.. Whatever the source of the expliot its ALWAYS Microsofts fault even if the expliot leverages a defect in third party software not written by MS.

    Whenever windows crashes its ALWAYS Microsofts fault when in reality anyone whos looked at the data knows that crashes come from poor quality of driver software MS did not write and hardware issues such as bad memory, flaky power/PSUs and poor HW design (glitching..etc)

    If you look at the general quality space MS has launched a number of initiatives over the years aimed at improving third party code quality and problem detection. Most visibly the WHQL program and online crash analysis.

    Now is MS going after google chrome because the two companies don't get along? .. thats quite possible. Whatever the motive there is no excuse for any company to be releasing code with security vulnerabilities.