
Google's "Chrome Frame" plugin for IE no longer requires admin rights - joshuacc
http://blog.chromium.org/2011/06/introducing-non-admin-chrome-frame.html
======
gruseom
Yay for clever technical hacks that help users circumvent ossified IT
bureaucracy. But I'm a little astonished that this is possible. They're
running a second process that detects new instances of IE starting up and
injects Chrome Frame into them. Doesn't that make a mockery of "admin rights"?
Couldn't this technique be used to do just about anything?

~~~
kevingadd
No. A bunch of windows processes typically run under users other than the
current user, and at higher integrity levels, specifically to prevent this.

IE is also _intentionally_ run as the current user at a low privilege level,
which makes it possible to do things like this to the IE process, but makes it
impossible for the IE process to do things like this to other programs.

------
thurn
Can you get Chrome itself without admin rights? That would probably be as
beneficial or more for circumventing draconian (and short-sighted) IT
policies.

~~~
rgsteele
Yes, it is possible to install Google Chrome without having local
administrator rights. It installs itself into the user's "Application Data"
folder. A user cannot set it as the default browser without having local
admin, however.

If an administrator installs the "multiple user" version of Chrome on the
computer (which is installed in the "Program Files" folder as per a normal
app), the next time a user runs their "single user" version of Chrome it will
display a message that the multiple user version has been installed and their
single user application is uninstalled.

References:
[http://www.google.com/support/forum/p/Chrome/thread?tid=31d0...](http://www.google.com/support/forum/p/Chrome/thread?tid=31d02264c4184298&hl=en)
[http://www.google.com/support/chrome/bin/answer.py?answer=11...](http://www.google.com/support/chrome/bin/answer.py?answer=118663)

------
udoprog
"Awesome! Do you have any stats on how many people have installed Chrome
Frame?"

I found this question interesting, does anyone know of any viable source for
this kind statistics? Is the user-agent for chrome frame distinguishable?

Edit: Found the user-agent from the dev docs; "GCF reports that it is
available by extending the host's User-Agent header with the string
chromeframe"

------
muxxa
Has anyone experienced any problems enabling chrome frame on a large scale web
app? Any resistance from users when prompted to install Chrome Frame?

------
Klonoar
Nice to see a bit more of the tech behind how they did it, albeit it's
admittedly not much.

Side note, from their FAQs:

 _Is Google Chrome Frame open-source?

Google Chrome Frame is built from open source code in the Chromium project
just like Google Chrome._

Does this sound like a non-answer to anyone else, or is it just me?

~~~
Macuyiko
Not really. You can view the source code for both Chrome, Chrome OS and Chrome
Frame in their repo:
[http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame...](http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame/)

As a side note, after having looked at the code for a few minutes, it appears
they're doing some clever things with the Chrome Frame helper program: (tidy)
DLL injection into Internet Explorer, together with dynamic BHO loading using
the windowing API and the IWebBrowser2 interface (see
[http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame...](http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame/bho_loader.cc?revision=87033&view=markup)
).

The "right" way to do this is to register your BHO dll through regsvr32 (I
believe this creates a registry entry as well.) If you have Administrative
rights, the installer does this for you, and Internet Explorer will do
everything on its own from there on.

It surprises me that their workaround actually works. One would think that
aspects such as DLL injection and API interfacing would be blocked for non-
administrative users. The code could actually prove inspirational for malware
writers. I still wonder how they load the helper program at startup. Probably
using a service, but setting a new service would require Administrative
privileges, I believe...

~~~
kevingadd
Restricting DLL injection and 'API interfacing' (if that's even a thing) to
administrative users would provide no security benefit. People would just have
to run as admin. DLL injection is used all over in windows to provide useful
features like alternate input methods, icon overlays in explorer, etc. You
aren't allowed to inject DLLs into processes owned by other users or processes
of higher integrity level, so it's not really a significant security threat
under the current windows model. IIRC Chrome and IE both run their processes
at low integrity so those processes won't even be able to inject DLLs into
other processes unless those other processes are also low integrity.

~~~
Macuyiko
Ah, thanks for the clarification. "API interfacing" was formulated a bit
quickly (then again, don't you interface with an interface?) -- perhaps I
should have said "using API's".

------
brakkus
Old news init? Thought this was announced at IO a month or so back.

~~~
blntechie
Announced at IO. Releasing now.

------
jabo
Google announced this recently during Google I/O.

