Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Finds Security Flaw In Google Chrome Frame

Posted by timothy on from the they're-the-experts dept.

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

7 of 214 comments (clear)

  1. Dude by Anonymous Coward · · Score: 5, Funny

    MS Finds Security Flaw In Google Chrome Frame

    Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.

  2. Re:At least they patched it by Tim+C · · Score: 5, Informative

    Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

    I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

    --
    It's official. Most of you are morons.
  3. Re:Expected by Ginger+Unicorn · · Score: 5, Informative

    At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  4. Re:Expected by calmofthestorm · · Score: 5, Insightful

    Hardly, they helped another company secure its product. Everybody wins!

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  5. Re:At least they patched it by tokul · · Score: 5, Funny

    Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

    Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.

  6. Re:Expected by Gadget_Guy · · Score: 5, Insightful

    I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

    In that case, why didn't Microsoft loudly announce it to the world and shame Google?

    Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.

    And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.

  7. Shut up? by blowdart · · Score: 5, Insightful

    Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?