madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft says Google Chrome Frame doubles IE attack surface

By | September 24, 2009, 7:00am PDT

Summary: Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond.

Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond.

The Google Chrome Frame, which is presented as a  seamless way to bring Google Chrome’s open web technologies and speedy JavaScript engine to Internet Explorer, has increased the attack surface for IE users, Microsoft said today.

Here’s Microsoft’s official reaction:

“With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers. Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take. For a deeper look at how the browsers stack up in security, take a look at the latest phishing and malware data from NSS Labs.”

This video from Google explains the decision to release the Chrome Frame:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Google Inc., Microsoft Internet Explorer, Microsoft Corp., Google Chrome, Attack, Web Browsers, Cyberthreats, Spyware, Adware & Malware, Security, Viruses And Worms, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 52 Talkback(s)

  • Actually, it means that some of the browsing will be much safer by using
    Chrome. Notice that Microsoft's ONLY arguments here
    are bogus security arguments. They do not even try
    to deny that Chrome is much faster and better.
    ZDNet Gravatar
    DonnieBoy
    24th Sep 2009
  • faster but less secure
    follow the link provided in the original article and have a look at the Phishing results... Chrome fared massively worse than ANY of the other browsers... so stop with the FUD
    ZDNet Gravatar
    kaninelupus
    25th Sep 2009
  • Actually...
    That particular article only covered Phishing -
    I'm much more worried about being hacked and
    having drive-by-downloads on my system, for which
    Chrome is much better and remains my browser of
    choice
    ZDNet Gravatar
    philip.lane@...
    25th Sep 2009
  • I use Chrome Too - but...
    If you think Chrome is more secure then you should run it alone.

    Chrome was NOT written to fill in security holes on IE.

    All vunerabilites in Chrome are present and all vulnerabilities in IE are still present. Vulnerabilities are blocked in only a few accidental cases. And due to the accidental nature of the blocking...that blocking can usually be hacked around.



    In general computer science and math say that two pieces of software working together in this manner combine their vulnerabilties. Double vulnerablities is likely an exaggeration since there are likely several cases where Chrome and IE have the same vulnerability.


    However I suggest you at least read the Chrome security and bug reports as a few months ago several professional groups rated Chrome as less secure than IE even if fixing faster. And Google more or less admitted that but said that Chrome was growing and changing so fast that the window of opportunity was small...with a near future maturity that would shrink that number of vulnerability.
    ZDNet Gravatar
    wellduh
    29th Sep 2009
  • Huh?
    If the page is being loaded using Chrome's
    renderer rather than IE, why would IE's
    vulnerabilities still apply? Unless they are
    vulnerabilities in the GUI.
    ZDNet Gravatar
    AzuMao
    30th Sep 2009
  • You have remember that it's still IE
    Of course it's insecure.
    ZDNet Gravatar
    T1Oracle
    26th Sep 2009
  • Phishing is FUD, you stop.
    Security means your computer won't be taken over
    by viewing a webpage. In this regard, Chrome is
    vastly superior to IE.
    ZDNet Gravatar
    AzuMao
    28th Sep 2009
  • Chrome is changing
    IE is so vulnerable because it has such a vast kitchen-sink assembly of features and a tidal wave of available easy add-ons.

    When Chrome was a very basic browser without lots of extensions and add-ons, it was theoretically more secure.

    However, Google wants Chrome to match all those IE features. Due to the large number of features being added in a very short period of time...

    Chrome ain't that secure. It merely hasn't been long enough for malware writers to write exploits.

    ZDNet Gravatar
    wellduh
    29th Sep 2009
  • That's weird.
    I could have sworn it ran on the WebKit engine,
    which is a rather tried and true renderer.

    And what makes you assume that when they implement
    addons they will do it as insecurely as MS have?
    ZDNet Gravatar
    AzuMao
    30th Sep 2009
  • Webkit
    Correct, it runs on WebKit, the same as Safari, WebKit, and Adobe AIR, as
    well as the browser built into the iPhone and iPod Touch. It's comes from
    KDE, so in theory it shares a common base with the KHTML browser, too.
    It should be pretty rock solid by this point and has a lot of the open
    source community pounding on it, just like FireFox. IE was based on
    SpyGlass and although MS has worked it through many revisions, IE lacks
    the purview of many parties that would improve security and failsafe
    mechanisms inherent to Safari, Chrome, KHTML and FireFox.
    ZDNet Gravatar
    geotopia@...
    19th Oct 2009
  • Microsoft has no friends
    Thought it was quite funny that they "don't recommend this for their
    friends and families." Wow, powerful statement. When my friends and
    family ask for a computer recommendation or computer help, I
    certainly don't recommend Windows, Office, or Explorer. And I love
    the phrasing of "doubling the area of the attack surface". At least
    they're honest in the sublime admission that IE is a horrendously
    insecure browser platform, though doubling it's "surface" is like saying
    it's hard to miss the side of a barn, versus the side of a "very big"
    barn. Wow, have they ever gotten weak under Balmer. If they didn't
    make such crappy products since their inception in the 1970s, I'd
    almost feel nostalgic about the days when Bill Gates was at the helm.
    At least he was a formidable business man, but monkey-boy Steve
    Balmer is just a wannabe.
    ZDNet Gravatar
    geotopia@...
    19th Oct 2009
  • RE: Microsoft says Google Chrome Frame doubles IE attack surface
    If Google Chrome Frame adds to IE vulnerabilities, it is
    not Google's fault for making the plug-in. It is Microsoft's fault for letting such a plug-in.

    It sound like Microsoft in blaming Google for adding more
    options to for Criminals to exploit. Maybe Microsoft
    needs to take Google's minimalist approach.

    Knowing the Microsoft's history with vulnerable software,
    I would rather trust Microsoft.
    ZDNet Gravatar
    battyr
    24th Sep 2009
  • typical unfounded alegations
    Google makes IE more secure not less.
    ZDNet Gravatar
    Linux Geek
    24th Sep 2009
  • perhaps if you read this you would rethink your statement
    http://nsslabs.com/browser-security-malware-3Q2009
    ZDNet Gravatar
    nessrapp
    24th Sep 2009
  • Don't be silly ...
    ... he is clearly incapable of thinking.
    ZDNet Gravatar
    de-void-21165590650301806002836337787023
    24th Sep 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here