

Microsoft: Google Chrome Frame makes IE less secure - fjabre
http://arstechnica.com/microsoft/news/2009/09/microsoft-google-chrome-frame-makes-ie-less-secure.ars

======
acg
Seems like Microsoft FUD policies at work. This is not the result of any kind
of study, just a measure to maintain market share.

Increasing avenues of attack?

I've heard that Chrome is currently has the most impressive security
credentials, working hard at security does not equal effective security
[http://arstechnica.com/security/news/2009/03/chrome-is-
the-o...](http://arstechnica.com/security/news/2009/03/chrome-is-the-only-
browser-left-standing-in-pwn2own-contest.ars)

------
TallGuyShort
This is funny... When Microsoft is making the claim, they say they do more to
secure their users than the alternatives. However, at least on 3 occasions
I've been speaking to a MS employee or MS fan and mentioned that there are
significantly fewer security problems with alternative OS's and browsers, and
their response is "well no-one uses -insert product here- so nobody wastes
their time trying to hack it".

------
frognibble
I wonder who funded the study that shows that Chrome is less secure than IE. I
hunted around, but could not find any indication about who paid for it.

~~~
oneplusone
That would be Microsoft.

"The spokesperson also referred us to the latest phishing and malware data
from NSS Labs, the same security company that found IE8 was the most secure
browser in August 2009 via two Microsoft-sponsored reports."

------
chaostheory
nice to see the MS marketing dept at work

------
shimi
They got a point. IE has its own venerabilities and Chrome has some too, maybe
less maybe more. Also we can factor the plugin since it can have its own
security risks. So statically IE using the Chrome Frame is more exposed then
IE alone.

It sounds like MS are clutching but they still raise a valid point.

BTW I can't remember hearing that Mozilla are complaining about IE Tab.

------
gahgneh
Lol, it’s common knowledge that NSS labs testing is funded by microsoft...
sadly, that’s the only way Microsoft can get ‘away’ in rankings of anything
[http://www.thetechherald.com/article.php/200912/3268/Can-
you...](http://www.thetechherald.com/article.php/200912/3268/Can-you-trust-
the-NSS-Labs-report-touting-the-benefits-of-IE8)

------
dtargh
Personally, it was great to see Microsoft spitting in the face of the company
that is practically trying to save their product. However, this was by far one
the greatest PR moves for chrome bar none. Lets see what kind of commercial
Microsoft is going to use to attack Google for helping.

------
petercooper
It's merely like replacing the engine in the Titanic from where I'm sitting.

------
iterationx
I wonder if it really doubles the attack surface area.

~~~
aarongough
I was wondering that too when I read the article.

If Chrome Frame works the way I understand it does, with Chrome basically
sitting in the rendering area of IE, taking UI commands from it and
interpreting all the incoming markup/code itself then I would have to guess
that the answer is no.

The only public facing interface should be Chrome's, but I'd have to do a
bunch more research to confirm that for sure...

~~~
tomjen2
If the attacker wasn't stupid, it would double it.

If he has an exploit for chrome, he is going to add the magic tag and let
ChromeFrame render the code thus the browser is vulnerable.

If he has an exploit for IE, he isn't going to add the magic tag, IE's engine
is going to handle the rendering and the browser is vulnerable.

The key is that the attacker can choose what browser the victim is using, thus
he can target either browser.

~~~
aarongough
Ah, I hadn't realized that the individual _website_ had control over whether
Chrome Frame was used or not... That is a _terrible_ idea. If the user elects
to install Chrome Frame it should render every page except for exceptions set
at the user's discretion.

I absolutely agree. Letting the website choose is just adding attack vectors.

~~~
enomar
It also ensures that sites that only work in IE continue to work. Google Frame
simply lets someone visit sites that only work in IE _and_ sites that need
HTML5 without having to know which browser to use for which site.

Having the site control when GF is used is essential for this to work.

~~~
aarongough
I understand the reasoning behind that, but ultimately it should be the _user_
not the _website_ that has control over whether Chrome Frame is activated or
not. A user can always visit an IE-only website in FireFox, so it's not
creating a new problem there.

Allowing the user control, rather than the website, means the user will get
the benefit of Chrome Frame _by default_ rather than as the exception and will
stop a potential attacker from getting to choose their attack vector...

------
ciupicri
I wonder what they think of the Adobe Flash Player.

------
ilyak
This holds as long as there's no exploit that affects IE, but doesn't affect
google framed IE. And there would be. I'd say, for IE6, there are probably a
few.

And those who care about security don't use IE anyway.

------
onreact-com
As I said before, M$ will block Google from doing it.

~~~
oneplusone
Nothing in the article said anything about blocking Google Chrome Frame. They
just advise against it. Also, can we cut the M$ crap? It is childish.

~~~
onreact-com
I did not indicate in my comment that the article says so, I wrote that I SAID
SO before. This is obviously the first step on the way to blocking it. Please
try to read first and understand before complaining. Comments are not for
repeating what the articles say but to add your own opinion. Also you're not
my father to tell me how I should behave.

Here is the link where I said it in case you still don't get the context:

<http://news.ycombinator.com/item?id=839002>

~~~
derefr
He may not be your father, but judging by your comment score, he's the voice
of the community.

~~~
onreact-com
Just because many people agree with you doesn't mean you are right. It's often
opportunism. M$ will surely try block it, either technically or by law. For
the uninitiated M$ is the short version for Microsoft.

I may be childish, but it has been the unofficial acronym for at least a
decade so obviously whole generations of children use it.

Last but not least: Voting everything down you don't agree with is childish. I
argue with people and don't vote them down like some bury brigade just because
I disagree.

~~~
ATB
Not to repeat what was said above, but many of us (I suspect) immediately
think of THIS when they see someone write "M$" -- <http://art.penny-
arcade.com/photos/215178115_ExTPi-L-2.jpg>

That term simply doesn't come across well in a discussion held - ostensibly -
by adults. It has the same effect as someone writing 'MAD LULZ G00G PWNED MS'
and ultimately conveys nothing aside from prejudice.

~~~
blasdel
If you want to use an epithet for the leading operating systems vendor, use
_Micros~1_

