ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft says Google Chrome Frame doubles IE attack surface

By | September 24, 2009, 7:00am PDT

Summary: Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond.

Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond.

The Google Chrome Frame, which is presented as a  seamless way to bring Google Chrome’s open web technologies and speedy JavaScript engine to Internet Explorer, has increased the attack surface for IE users, Microsoft said today.

Here’s Microsoft’s official reaction:

“With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers. Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take. For a deeper look at how the browsers stack up in security, take a look at the latest phishing and malware data from NSS Labs.”

This video from Google explains the decision to release the Chrome Frame:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Microsoft Internet Explorer, Microsoft Corp., Google Chrome, Attack, Web Browsers, Cyberthreats, Spyware, Adware & Malware, Security, Viruses And Worms, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
52
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft says Google Chrome Frame doubles IE attack surface
birumut Updated - 2nd May 2011
Great!! ! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Actually, it means that some of the browsing will be much safer by using
DonnieBoy 24th Sep 2009
Chrome. Notice that Microsoft's ONLY arguments here
are bogus security arguments. They do not even try
to deny that Chrome is much faster and better.
0 Votes
+ -
faster but less secure
kaninelupus 25th Sep 2009
follow the link provided in the original article and have a look at the Phishing results... Chrome fared massively worse than ANY of the other browsers... so stop with the FUD
0 Votes
+ -
Actually...
philip.lane@... 25th Sep 2009
That particular article only covered Phishing -
I'm much more worried about being hacked and
having drive-by-downloads on my system, for which
Chrome is much better and remains my browser of
choice
0 Votes
+ -
I use Chrome Too - but...
wellduh 29th Sep 2009
If you think Chrome is more secure then you should run it alone.

Chrome was NOT written to fill in security holes on IE.

All vunerabilites in Chrome are present and all vulnerabilities in IE are still present. Vulnerabilities are blocked in only a few accidental cases. And due to the accidental nature of the blocking...that blocking can usually be hacked around.



In general computer science and math say that two pieces of software working together in this manner combine their vulnerabilties. Double vulnerablities is likely an exaggeration since there are likely several cases where Chrome and IE have the same vulnerability.


However I suggest you at least read the Chrome security and bug reports as a few months ago several professional groups rated Chrome as less secure than IE even if fixing faster. And Google more or less admitted that but said that Chrome was growing and changing so fast that the window of opportunity was small...with a near future maturity that would shrink that number of vulnerability.
0 Votes
+ -
Huh?
AzuMao 30th Sep 2009
If the page is being loaded using Chrome's
renderer rather than IE, why would IE's
vulnerabilities still apply? Unless they are
vulnerabilities in the GUI.
0 Votes
+ -
You have remember that it's still IE
T1Oracle 26th Sep 2009
Of course it's insecure.
0 Votes
+ -
Phishing is FUD, you stop.
AzuMao 28th Sep 2009
Security means your computer won't be taken over
by viewing a webpage. In this regard, Chrome is
vastly superior to IE.
0 Votes
+ -
Chrome is changing
wellduh Updated - 29th Sep 2009
IE is so vulnerable because it has such a vast kitchen-sink assembly of features and a tidal wave of available easy add-ons.

When Chrome was a very basic browser without lots of extensions and add-ons, it was theoretically more secure.

However, Google wants Chrome to match all those IE features. Due to the large number of features being added in a very short period of time...

Chrome ain't that secure. It merely hasn't been long enough for malware writers to write exploits.

0 Votes
+ -
That's weird.
AzuMao 30th Sep 2009
I could have sworn it ran on the WebKit engine,
which is a rather tried and true renderer.

And what makes you assume that when they implement
addons they will do it as insecurely as MS have?
0 Votes
+ -
Webkit
geotopia@... 19th Oct 2009
Correct, it runs on WebKit, the same as Safari, WebKit, and Adobe AIR, as
well as the browser built into the iPhone and iPod Touch. It's comes from
KDE, so in theory it shares a common base with the KHTML browser, too.
It should be pretty rock solid by this point and has a lot of the open
source community pounding on it, just like FireFox. IE was based on
SpyGlass and although MS has worked it through many revisions, IE lacks
the purview of many parties that would improve security and failsafe
mechanisms inherent to Safari, Chrome, KHTML and FireFox.
0 Votes
+ -
Microsoft has no friends
geotopia@... 19th Oct 2009
Thought it was quite funny that they "don't recommend this for their
friends and families." Wow, powerful statement. When my friends and
family ask for a computer recommendation or computer help, I
certainly don't recommend Windows, Office, or Explorer. And I love
the phrasing of "doubling the area of the attack surface". At least
they're honest in the sublime admission that IE is a horrendously
insecure browser platform, though doubling it's "surface" is like saying
it's hard to miss the side of a barn, versus the side of a "very big"
barn. Wow, have they ever gotten weak under Balmer. If they didn't
make such crappy products since their inception in the 1970s, I'd
almost feel nostalgic about the days when Bill Gates was at the helm.
At least he was a formidable business man, but monkey-boy Steve
Balmer is just a wannabe.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
battyr 24th Sep 2009
If Google Chrome Frame adds to IE vulnerabilities, it is
not Google's fault for making the plug-in. It is Microsoft's fault for letting such a plug-in.

It sound like Microsoft in blaming Google for adding more
options to for Criminals to exploit. Maybe Microsoft
needs to take Google's minimalist approach.

Knowing the Microsoft's history with vulnerable software,
I would rather trust Microsoft.
0 Votes
+ -
typical unfounded alegations
Linux Geek 24th Sep 2009
Google makes IE more secure not less.
0 Votes
+ -
perhaps if you read this you would rethink your statement
nessrapp 24th Sep 2009
http://nsslabs.com/browser-security-malware-3Q2009
0 Votes
+ -
Don't be silly ...
de-void-21165590650301806002836337787023 24th Sep 2009
... he is clearly incapable of thinking.
0 Votes
+ -
If you read this
sirpaul1 24th Sep 2009
Know that this study was paid for by Microsoft. And it's kind of strange that when all the other browsers were out Windows was using IE7. Apples and oranges. Proves nothing!
0 Votes
+ -
I'm not interested in reports paid for my M$
blueskip 25th Sep 2009
The nsslabs report is so bogus it's just sad and pathetic. No one in their right mind would believe that garbage. It's utter nonsense and lies at best.

0 Votes
+ -
Just another MS basher
chiefpace 26th Sep 2009
He is just another anti MS zealot. Google is not doing this to make IE
safer they are doing it for the ad revenue. If they make IE less safe it is
just another attack venue in the browser wars. Why do you think there is
no Chrome for the Mac.
0 Votes
+ -
Dont know how to search?
insanish1 26th Sep 2009
the linux and mac versions of chrome are being developed...there is an unstable beta which exists for linux users (i work on linux extensively)...so it doesnt matter if google does this for ad revenue or anything...the key thing is they want to have more control over the web space happy which MS is slowly (with bing) trying to encroach on!
0 Votes
+ -
Google is doing this to make better web apps
K B 26th Sep 2009
The reason Google is coming out with the Chrome plugin is so they can develop better web applications. Google is all about making web apps more important and the os less important. They don't want to be reliant on Microsoft implementations of javascript and html 5 standards. They'll also be able to make their apps work with IE6 which is getting harder to support.

Microsoft should be concerned.
0 Votes
+ -
But there IS Chrome for Mac...
thebeans 26th Sep 2009
There is Chrome for Mac. I installed it on my imac a couple of weeks
ago. It is a beta and is supposedly not completely stable yet, but I have
only had it lock up one time and the page rendering is fine so far. I still
use Safari mostly but like Chrome so much on Windows that I will
completely switch to Chrome when the final version is out.
0 Votes
+ -
Perhaps you should read the page you're linking to, genius.
AzuMao 28th Sep 2009
"Social engineered" meaning no vulnerability in
the browser. Just the typical fake porn site that
asks you to install some "player" which *gasp* is
actually adware. Solution: don't install random
programs from porn sites. Or any other site that
isn't trustworthy.
0 Votes
+ -
... what?
Ceridan 24th Sep 2009
sorry but that makes no sence...

You cannot make a browser more secure if you add an internet active plug-in in said browser.
0 Votes
+ -
Allegations Spelled With 2 L's
mlbslugger 24th Sep 2009
I love Google, think it's a good idea, but technically, MS is correct. Any add on regardless of how safe or weak it is, adds a new avenue for malware and attacks.
0 Votes
+ -
Typical ridiculous statements
ElTel Updated - 25th Sep 2009
Google makes IE more secure not less.
Linux Geek: Please back this statement up and prove to us, technically, how your comment holds any water.

0 Votes
+ -
Are you suggesting ...
de-void-21165590650301806002836337787023 24th Sep 2009
... that Microsoft should remove all extensibility from its browser and actively prevent 3rd parties from plugging into IE's infrastructure?

Do you work for the EU and are you looking for a bigger bonus next year?
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
blueskip 25th Sep 2009
"Knowing the Microsoft's history with vulnerable software,
I would rather trust Microsoft."

How now brown cow??? That statement makes as much sense as saying, "I think it's good to use buggy software with problems."
0 Votes
+ -
Purpose
p.vinnie@... 24th Sep 2009
I think Google crome Frame is meant for providing HTML5 functionality in IE. But those who want to use HTML5 functionality will go for Firefox or Google Chrome anyways. And those who are stuck with IE there is no way for them to install Google Chrome Frame anyways.

For example in many organisation they still using IE6 or IE7 due to backward compatibility with their business applications. Poor employees do not have admin rights to install any other browser.
0 Votes
+ -
Actually, it might be a good way to support sites that do not work without
DonnieBoy 24th Sep 2009
a modern browser, for companies that want to stay
with IE6 for compatibility with old internal
applications. If Google gave them fine grained
control over when a Chrome frame was allowed, it
might be a big hit as a transition tool.
0 Votes
+ -
Coming around Donnie
LiquidLearner 24th Sep 2009
You pretty much hit the nail on the head as to why IT departments haven't deployed another browser. Very few people I know who work in a corporate IT department even like IE. However policies allow them to have tight control over it, making it the ideal choice for network deployment. Most I know would jump to Firefox in a heartbeat, especially those who have apps that work in FF, if you could manage it via GPO. You wouldn't think it would be that hard for Mozilla to release an .adm that gives you that control. I know I'd deploy it. I'd leave IE in place for times users needed it but it would be nice to give users another option without giving up control.
0 Votes
+ -
admin - that's a conversation I had today !
dgrainge 25th Sep 2009
If you do policies by GPO then this works best, obviously, with MS products and on an MS platform.

If you have Macs and Linux and PCs and some are domain members and others not, then GPO makes little sense and 3rd party tools much more.

IMO the browser that works best across all platforms is 3.5.whatever. I note the reports used Firefox 3, claiming that in July 3.5 was unstable. Really?

The reports, sponsored by Microsoft, address two classes of attacks both of which involve people being idiots by clicking links they shouldn't.

The most dangerous are ones that directly attack the machine without intervention. Now, let's see some fact about that.

If you know where Firefox stores its settings (files and registry) it's quite possible to roll out configuration settings - it simply isn't by GPO.
0 Votes
+ -
You said a mouthful brother...
blueskip 25th Sep 2009
"The reports, sponsored by Microsoft, address two classes of attacks both of which involve people being idiots by clicking links they shouldn't."

Exactly.
0 Votes
+ -
Sigh!
de-void-21165590650301806002836337787023 Updated - 24th Sep 2009
No, Google doesn't "ADD" HTML5 functionality to IE - it replaces IE's rendering pane with Google's. All you'll see is Google's rendering in which case you may as well have just installed Chrome in the first place.

"Poor employees do not have admin rights to install any other browser."

THANK GOODNESS!

The whole point of preventing your employee's from installing anything they like on their work machine is to prevent them installing software which impacts your well tested business apps and reduces your employees productivity.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
cosuna 24th Sep 2009
Double standards... my friends... double standards...

Flash has been a long time companion of IE using the security handicapped ActiveX framework, and we have heard no such nonesense from Microsoft since it's inclusion.

Now that Chrome is a both a threat as browser and as OS, Microsoft uses the FUD strategy. And again, they use a dubious front company as NSSlabs.

For those of you who read the report, it is easy to detect the artificial construction of it's nature to benefit IE8. First it does not evaluate browser security in general, just "SOCIALLY ENGINEERED MALWARE" that is links that appear to be coming from entities they are not.

But it does not measure the actual "attach rate" of those threats. That is: most threats are ActiveX-based exploits for Windows x86. Chrome needs not worry about them since it's plugin structure is based on WebKit. Also, Chrome runs each tab in a sandbox with almost null access to system resources. Even in the unlikely case of buffer overflows, the plug in architecture should be the one preventing this.

Alas, the IE8 people don't recommend this risk for friends and family, but since when are we friends or family of Microsoft. LOL!
0 Votes
+ -
He's right... but flash.. is also bad.
Ceridan 24th Sep 2009
Well true about the double standard...


However, Flash is a security vulnerability, as is Javascript, and annything that runs non-html code in the browser(because HTML is not really executed, it's just parsed)
0 Votes
+ -
You do know...
LiquidLearner 24th Sep 2009
that IE8 isolates tabs to their own process and runs them least privileged, giving them no access to the OS. You have to grant permission for it to elevate to do anything. Other arguments aside, from a security standpoint both IE8 and Chrome have excellent hardening. You are right about the nature of the study though but given the level playing field of browser hardening between Chrome and IE, the fact that IE does a better job of protecting you from socially engineered attacks does make it "more secure".

Now on XP you have a point. But assuming you're not using a 9 year old OS then the playing field is even.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
SystemVoid 24th Sep 2009
With IE's history of malware attacks, security holes and
phishing threats, Microsoft has no room to talk. If
anything, they should be glad that somebody has stepped
up and produced something for IE that Microsoft hasn't
been able to do for over a decade.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
IE9 25th Sep 2009
The plugin kills the XSS filter, the Phising filter and the the smartscreen filter protecting IE8 users.
0 Votes
+ -
Protecting...Oh that's what they call it!
blueskip 25th Sep 2009
Don't be fooled. There is no protection using IE.
0 Votes
+ -
Google says IE doubles Chrome Frame attack surface
jasonp@... 25th Sep 2009
NT
0 Votes
+ -
RE:Google says IE doubles Chrome Frame attack surface
blueskip 25th Sep 2009
ROFL!
0 Votes
+ -
Sleep At Nights Under Redmond's Watch
preacherx 25th Sep 2009
With Redmond's sworn court and media statements over the past decades; every computer user should be able to sleep soundly at night IF they are running 100% Microsoft products. Oh my, running exclusively Windows Vista (latest production release), MS Office, Internet Explorer, you name it - as long as it's from said Microsoft; you can compute, surf, play completely with peace of mind knowing Redmond has your back! God bless Microsoft!
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
rrr@... 25th Sep 2009
More FUD, specifically about XP. Liquid Learner deprecates the idea of using XP, as in who would want to use a 9 year old OS? What does it say about MS, the only thing they were able to come out with between XP and 7 was Vista? Which will be 8 yrs next month btw, not 9 yet.
0 Votes
+ -
Literally true, but also marketing...
MichaelArgast 25th Sep 2009
So, what Microsoft is saying - that adding the Chrome plug-in increases the attack surface, is literally true.

But there is also a bit of marketing here - every plug-in you use, Flash, Java, QuickTime, etc - increases the attack surface. Flash in particular has had a very challenging history in terms of vulnerabilities.

Any piece of code you add to your machine impacts the attack surface, what is more important to understand is - how easy is it to manage that risk (keep up to date, patch, lock down, etc), especially in corporate environments, and how big is the risk (how often are the vulnerabilities which exist exploited by criminals and malware authors). And finally, are these risks worth the increase in functionality that code provides.

Users and admins everywhere could benefit from a little slice of risk/benefit analysis when it comes to putting new code on their systems.

Michael Argast, Security Analyst, Sophos
0 Votes
+ -
So... how do we turn off the IE rendering bits and half the attack surface
ComputerGeneralist 25th Sep 2009
Oh wait. That would just be to install Chrome and disable IE. Why would MS have a problem with that?
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
Matt Gabriel 26th Sep 2009
Google Chrome is best Browser...You Can try it
So Google Chrome is best to Browse Radio streaming
You Can Try iy
http://www.austria-radio.co.tv/
http://www.austria-radio.co.tv/
http://www.austria-radio.co.tv/
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
leonbakhan 27th Sep 2009
IE was never safe and IE 8 is so slow. I donot know who says it is the fastest. No match for the Mozilla.
0 Votes
+ -
How did "attach area" becom "attack surface"?
Fred Fredrickson 27th Sep 2009
Don't tell me, it reads better as a headline.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
Mr Piston 28th Sep 2009
That is new War between Google and Microsoft...
So you look who is the Winner....

http://www.france-radio.co.tv/
http://www.france-radio.co.tv/
http://www.france-radio.co.tv/
0 Votes
+ -
MS cannot write secure software
wellduh Updated - 29th Sep 2009
MS needs to get a clue.

Instead of writing vulnerable OS and software to be expansion/add-on W-H-O-R-E-S...

they need to learn from Linux/Open Source which is hostile to new application/add-on. That is new software must prove itself and comply with all security standards or it will not be allowed to run or associate.

It is better to forbid or be difficult than to be wide open to poorly written vulnerable software.
0 Votes
+ -
RE: Microsoft says Google Chrome Frame doubles IE attack surface
birumut Updated - 2nd May 2011
Great!! ! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix