Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Finds Security Flaw In Google Chrome Frame

Posted by timothy on from the they're-the-experts dept.

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

18 of 214 comments (clear)

  1. Dude by Anonymous Coward · · Score: 5, Funny

    MS Finds Security Flaw In Google Chrome Frame

    Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.

    1. Re:Dude by Anonymous Coward · · Score: 4, Interesting

      > in much the same way that Google doesn't go looking for software bugs in Microsoft products.

      You need to keep a closer eye on Microsoft bulletins, it actually happens regularly.

      http://www.google.com/search?hl=en&q=site:microsoft.com+Google+intitle:"Microsoft+Security+Bulletin"

  2. At least they patched it by santax · · Score: 4, Interesting

    And not wait another week until it's patch-Tuesday.

    1. Re:At least they patched it by Tim+C · · Score: 5, Informative

      Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

      I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

      --
      It's official. Most of you are morons.
    2. Re:At least they patched it by heffrey · · Score: 4, Insightful

      Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!

    3. Re:At least they patched it by santax · · Score: 4, Insightful

      That is a small price to pay for an updated browser that is secure against attacks that already are in the wild. Remember: the exploit always comes before the fix.

    4. Re:At least they patched it by tokul · · Score: 5, Funny

      Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

      Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.

    5. Re:At least they patched it by santax · · Score: 4, Insightful

      I know where you going here. But smart criminals don't publish proof of concepts. They just exploit and hope no-one will find the same exploit so it won't be fixed. Therefor I still stand behind my golden rule of security: the exploit comes before the patch. Although I suppose I can alter it a bit. The hole is there before the fix.

  3. Re:Expected by Ginger+Unicorn · · Score: 5, Informative

    At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  4. Re:Expected by calmofthestorm · · Score: 5, Insightful

    Hardly, they helped another company secure its product. Everybody wins!

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  5. Re:Expected by Arancaytar · · Score: 4, Insightful

    Good thing too. If competitors spent more time actively looking for bugs in each others' software instead of paying their marketroids to spread FUD, everyone would be better off.

  6. Breaking news! by davidbrit2 · · Score: 4, Funny

    We have early word that the security vulnerability goes by the name "Internet Explorer". Details are thin at this time, but we'll have more as the story develops. Janet, back to you in the studio.

  7. Re:Expected by Gadget_Guy · · Score: 5, Insightful

    I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

    In that case, why didn't Microsoft loudly announce it to the world and shame Google?

    Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.

    And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.

  8. Shut up? by blowdart · · Score: 5, Insightful

    Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?

    1. Re:Shut up? by blind+biker · · Score: 4, Interesting

      Yeah. For once, this case was conducted in a civilized manner, much to my own surprise. Yes, I admit I am surprised, because I expected a slightly different modus operandi from a company like Microsoft, with a uber-competitive, testosterone-saturated corporate culture. This, for me, more than any other, is a proof that Microsoft is changing.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  9. Re:Expected by fuzzyfuzzyfungus · · Score: 4, Insightful

    Consider the landscape of alternatives, though.

    Web designers have, for years, been depending on functionality that isn't even on any kind of standards track, much less maturely standardized. We call it Flash(and to a lesser extent other "rich content" plugins; but mostly Flash). Web designers have, frequently, depended on it for all kinds of things, it is often considered a must-have for web browsers, and is every bit as ghastly, if not considerably more so, in implementation.

    By comparison, HTML5 is positively civilized. Chrome Frame is basically just an "HTML 5 Player" plugin, whose necessity will hopefully evaporate over time. It is, certainly, a kludge; but there are presently no alternatives to that. You can either give up broad swaths of web application features entirely, and deal with the oh-so-standard world of native application development; or base your webapp features on one or more plugins(flash, java, silverlight, etc.), or you can use HTML5 stuff.

  10. This story should have been titled... by Dammital · · Score: 4, Insightful

    ... Microsoft security researcher confirms advantages of open source transparency

  11. Re:Expected by natehoy · · Score: 4, Insightful

    You had me right up until "just to discredit them".

    Microsoft clearly was concerned that Frame would add to the possible attack vectors into IE. They've certainly said as much. And that is a valid concern, frankly. Due to that concern, they had their research team test for security vulnerabilities in Frame, obviously with particular focus on ones that could compromise a Windows system.

    And, whaddya know, they found one.

    Now, if they were trying to discredit Google, the first place they'd go is (MS)NBC and put out headlines "Google Chrome Frame Has a security breach! Look at those losers!"

    Instead, we see an announcement from Google that they have a patch for the defect, and acknowledging Microsoft as having found the bug and reported it to them.

    Sounds to me like Microsoft was acting out of enlightened self-interest, and is demonstrating good team-playing skills by telling Google about it in enough detail for Google to come out with a fast fix.

    Kudos to Microsoft for extending their security research beyond their own software and to external sources they might consider a threat. Further kudos to Microsoft for reporting the issue to Google with enough detail to make a fix possible, without exposing it to the black hats so this never became a zero-day attack.

    Kudos to Google for getting a fix out there quickly. Further kudos to Google for having the respect to acknowledge Microsoft's contribution.

    I'd say this is a perfect example of vendors being good players in the security arena, and respectful competitors.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."