| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/24/2009 2:08:53 PM | The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure.
"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers," a Microsoft spokesperson told Ars. "Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take." The spokesperson also referred us to the latest phishing and malware data from NSS Labs, the same security company that found IE8 was the most secure browser in August 2009 via two Microsoft-sponsored reports.
Some of the points Microsoft makes in its statement are controversial, though it's not all simple PR talk. Plugins and add-ons are definitely a huge security issue; they usually remain unpatched longer than most and often end up doing more damage than vulnerabilities in the actual browser. As for IE + Google Chrome Frame potentially allowing for double the damage because the browser mutant would be open to a wider range of attacks, we're going to have to call foul. Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers.
What about the part about Chrome having security issues in particular? Soon after Chrome was first released in September 2008, vulnerabilities were discovered and loudly trumpeted. The new browser was quickly labeled insecure days after it was made available, and remained so until a patched version was released.
After that though, Google made sure to stay on top of things, and it has paid off. In March 2009, for example, Chrome was the only browser left standing after day one of the famous Pwn2Own contest, where security researchers competed to exploit vulnerabilities in web browsers, while Firefox, Safari, and Internet Explorer were all successfully compromised. Microsoft argues that Chrome only remained unscathed because nobody attempted to exploit it, but the fact remains that none of the researchers had vulnerabilities for Chrome in mind before going into the contest.
Also, Swiss security researchers concluded in May 2009 that people who use Firefox or Chrome are more likely to be running the latest version of the software when compared against Safari and Opera users due to their auto-update mechanisms which require less user interaction. Internet Explorer wasn't even mentioned in the study, though we know that it relies on Windows Update and doesn't have an automatic built-in updater.
Finally, and possibly most importantly, Chrome has a market share that is easily 20 times smaller than Internet Explorer's. Even if Google reaches its 10 percent market share goal, Internet Explorer would still be six times more widely used. Microsoft doesn't like to admit it, but the fact is that market share is a disadvantage when it comes to security. It's just more profitable for the bad guys aim for the largest crowd of marks.
While Microsoft's jabs at Chrome were a bit over the top, its points about Internet Explorer 8's security are solid. The browser has great phishing and malware protection built-in, and is overall miles ahead of its predecessors. That said, even if Microsoft claims that IE8 is more secure than Chrome, and it did in June 2008, the fact remains that Google didn't just release the plugin for IE8. It works in IE6 and IE7 as well. These old browser versions are much less secure, especially in comparison to IE8 and Chrome 3. In August 2009, Redmond confirmed that while it would continue to push IE6 and IE7 users to upgrade their browsers, it wasn't going to make the decision for them anytime soon.
For all these reasons, we don't believe that Microsoft is in a position to say that Google Chrome Frame is an unsafe choice. We do, however, understand where the software giant is coming from.
http://arstechnica.com/microsoft/news/2009/09/microsoft-google-chrome-frame-makes-ie-less-secure.ars | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/24/2009 4:43:35 PM | Scripts that bypass IE's security checks because they're embedded in advertisement engines that infect your computer with nasty spyware = bad.
something that alerts you to the fact a website has been known to distribute spyware, which chrome does = good.
When microsoft claims something not theirs makes something of theirs less secure, i tend to ignore it. If MS had it's way, we'd all be running nothing but MS supplied software...much like Apple has managed to do with it's OS and applications over the years...they're already forcing stuff like media player, ie, messenger and other things in to the OS. | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/24/2009 4:46:39 PM | I saw this the day after its launch.
Ive not used it and dont intend to to be honest, but it seems safe for now, but I dont expect it will be that way for long.
Its not a good idea to run a browser frame from one in another, not even Firefox tried that.
Typical of google really, they seem worse than Microsoft in recent years, they dont want to give the best product to the user, they want 100% market share, and Microsoft is their target for now.
Its a great****ail for disaster dont you think, I mean a flaw that exists because of the "merger" who be fixed by whom exactly?
Google will tell you its Microsofts fault because its their browser, while Microsoft cant fix it because its not being caused soley by its product... M$ gets hacked to shreds for an addin it doesnt even want... very clever and underhanded work on somebodies part?
The most interesting part I found was the mention on the IE update method, it was taken that the method of updating IE via Windows Update is a problem because it doesnt involve IE, where I always took it to be an advantage, especially on Vista and higher, I mean if your browser has a flaw why would you want to use it to access the web to get the fix, which is what the other browsers have to do to get theirs, they have to go into the wild, which is where the problem exists to get fixed, where as IE doesnt have to do anything at all, it doesnt even have to run locally to get its fixes...
Thoughts, comments? | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/26/2009 11:05:19 AM | "Thoughts, comments?"
Use Linux.
Firefox, Opera, Flock, Chrome= W3C compliant
IE=NOT
As web developer that's a big deal to me. I have to create separate files and incorporate work arounds just to get IE to render sites I design correctly, because MS just refuses to go along with the program everyone else is using, that's reason enough to despise them. | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/26/2009 4:52:43 PM |
When microsoft claims something not theirs makes something of theirs less secure, i tend to ignore it. If MS had it's way, we'd all be running nothing but MS supplied software...much like Apple has managed to do with it's OS and applications over the years...they're already forcing stuff like media player, ie, messenger and other things in to the OS.
Nobod forces you to use WMP, nor do they force you to use IE, it is supplied if required, and given the fact that its the most popular browser in use then it would seem most people do need to use it.
People these days are educated enough to be able to chose their browser and media player.
Windows messenger is added in the same vein, they provide it, and people make a choice, most peopl who want to use an IM go off and chose one, in fact I think WinIM is probably the most unused IM client, but its provided for convenience of its users.
I like the fact that there there, even if I dont use them...
Microsoft make no money from adding WMP or IE into their OS at all, when the EU forced Microsoft to remove WMP from a Windows the cost was higher for that version, because the over all "development" costs were higher for the RME version because they had to work on it to remove it.
I wonder what the sales figures of XP RME were compared to the standard version of XP was.
I bet they wernt high at all despite all the fuss made.
Ive only ever seen it twice, once was as a scene release and the other was on scan.co.uk, I asked my sales account manager about it, he said hes never sold a copy of it, and he didnt know of any of the other managers who had either, becuase it was a more expensive version with less features.
Moaning about having WMP, IE and WinIM is like moaning about having Media Center built into Vista Home Premium.
Its an added feature, its one of the things you are buying, if you dont want it then dont buy it, nobody forces you to buy it, no body forces you to use it, its like Adobe moaning about having MS Paint built into the OS.
Mac OS X comes with is own browser, Firefox can run on a Mac yet Mozilla hasnt had a go at Apple about them including it with the OS | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/26/2009 8:52:02 PM | If Microsoft are so worried about plug-ins, why aren't they telling everyone to stop using the Flash plug-in, the Adobe Acrobat Reader plug-in, the Yahoo! Toolbar plug-in, and the Windows Live Toolbar plug-in?
People have to pay Microsoft for IE, because it is shipped with Windows.
Want to surf the net? You need a browser. Pick IE? Buy Windows. More money for Microsoft.
Want to surf the net using Chrome, Firefox, or any other browser? They're FREE. So no more need to buy Windows, and no money for Microsoft. Boo-hoo, Microsoft. Time to try and dissuade everyone from giving up IE and giving up Windows as well.
Personally, I switched to Opera about a year ago. MUCH faster than Firefox, IE, or Chrome, has phishing and the rest built-in, and no probs (so far!) Much prefer it. | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/27/2009 6:47:44 AM |
If Microsoft are so worried about plug-ins, why aren't they telling everyone to stop using the Flash plug-in, the Adobe Acrobat Reader plug-in, the Yahoo! Toolbar plug-in, and the Windows Live Toolbar plug-in?
They are stable plug-ins, they use the security features of the app they run in.
The Chrome pug-in ignores those features, and blocks then from working, and if a computer is compromised because of it then its the browser that will take the blame not the plug-in, despite it being the fault of the plug-in not the browser.
People have to pay Microsoft for IE, because it is shipped with Windows.
They dont have to pay for it at all.
In fact the reality is exactly the other way round, the cost of Windows without IE would be higher.
You are getting it cheaper because of IE.
The browsers you speak of might be free to download sure, but there are reasons they are free.
There is no support from the makers of the software at all, the only support you will get is your average joe on a forum who has had the problem and fixed it, or seen the fix for it and shares the answer with you.
Its the same with Linux and FreeBSD, sure they are free to get but the support costs to run it are higher than Windows costs to buy it, meaning the total cost of ownership of a "Free" OSS PC that is supported is higher than a "Bought" propretry PC that is supported.
Dont get me wrong I do like OSS, its great, especially from a personal finance stand point.
I can earn much more as a Linux specialist than I can as a bog standard Windows engineer, considerably more, but these days companies are wise to the TCO of "free" OSS software like Linux, and all the ones Ive worked with in the past have been there, done it and moved back to Windows because its cheaper.
The same goes for the home user too, if you want support then it costs!
So dont fool yourself into thinking, or try and convince me into thinking its FREE, because I know it isnt, the cost of OSS [Linux, FreeBSD, Opera, Firefox, Chrome etc etc] is in time, lack of support, lack of accountability, and if you can get any of them then it costs far more than it would if you had gotten it from Microsoft.
Sure Microsoft are money grabbing **stards, who would like nothing more that to set up a DD for your wages from you to them every month, but at least there honest about it.
I mean do you have any idea what Opera get from their browser?
Or an even better study would be Google!!!
now theres a story. | |
|
| |
- don
|
Joined: 4/23/2009
Msg: 9 | |
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/28/2009 4:06:53 PM | | Mixing software/adding software can create insecurities. Since IE is closed-source/proprietary software, I'm not sure how secure it would be for another company w/out the source code adding software to it and sounds like IE doesn't wanna take responsibility for an unsupported browser plug-in/add-on when they have a hard enough time keeping up with insecurities as it is. | |
|
| Microsoft: Google Chrome Frame makes IE less secure
Posted: 9/28/2009 7:54:09 PM | RE Msg: 7 by BladeRunner_IW:
They are stable plug-ins, they use the security features of the app they run in.
The Chrome pug-in ignores those features, and blocks then from working, and if a computer is compromised because of it then its the browser that will take the blame not the plug-in, despite it being the fault of the plug-in not the browser. The whole design structure outlined for internet browsers is to not allow those things happening from the core, especially for plug-ins, because anyone can write a plug-in. If plug-ins could bypass browser security, that would make browsers just as insecure as any other program, and would defeat the security structure of browsers anyway. So I've got to wonder at any browser that could let you do that.
Also, I've had problems on my last computer with Windows Live accessing the internet separately, bypassing the security of IE, and opening itself to downloading viruses. Same for Yahoo! toolbar and other toolbars, which is why I no longer use them. It's a pain. But it makes my computer far less open to attack.
People have to pay Microsoft for IE, because it is shipped with Windows. They dont have to pay for it at all. In fact the reality is exactly the other way round, the cost of Windows without IE would be higher. You are getting it cheaper because of IE. The browsers you speak of might be free to download sure, but there are reasons they are free. There is no support from the makers of the software at all, the only support you will get is your average joe on a forum who has had the problem and fixed it, or seen the fix for it and shares the answer with you. Its the same with Linux and FreeBSD, sure they are free to get but the support costs to run it are higher than Windows costs to buy it, meaning the total cost of ownership of a "Free" OSS PC that is supported is higher than a "Bought" propretry PC that is supported. Dont get me wrong I do like OSS, its great, especially from a personal finance stand point. I can earn much more as a Linux specialist than I can as a bog standard Windows engineer, considerably more, but these days companies are wise to the TCO of "free" OSS software like Linux, and all the ones Ive worked with in the past have been there, done it and moved back to Windows because its cheaper. The same goes for the home user too, if you want support then it costs! So dont fool yourself into thinking, or try and convince me into thinking its FREE, because I know it isnt, the cost of OSS [Linux, FreeBSD, Opera, Firefox, Chrome etc etc] is in time, lack of support, lack of accountability, and if you can get any of them then it costs far more than it would if you had gotten it from Microsoft.
Firefox? I never had to do more much than install, and press Update for when a new update came out.
I tried Chrome. But it kept opening up a new process for every window. With several tabs open, it got really slow.
I recently decided to switch to Opera, but only because it's way faster, and it works at least as reliably as Firefox.
As far as Linux goes, I've never really worked on it. I have worked on a Mac, and I don't recall needing to fix it. It never went wrong. What I can say about Windows, is that I've been working on Windows since 95. I hate it, because everyone has a problem with Windows, and 99% of them are a b*stard to fix. A lot of Dlls corrupt. A lot of Dlls' registry settings corrupt. A lot of things go wrong on Windows all the time. I'd recommend to everyone that they Ghost their new install, and just restore it.
The support staff I've met, either do fresh installs, because it's quicker to reinstall everything than even diagnosing a problem on Windows, or they just demand that all employees have to ask their permission before doing anything they haven't already been told they can do, or they fix the problems, and they range from hours to weeks to fix. One person I knew, used to support Windows and Macs. He loved Macs because they almost never went wrong, and when they did, they were easy to fix. Windows, as I explained, were a freaking pain in the backside, and then some, I pointed out to him, though, that 90% of his calls were from Windows machines, and if he only dealt with Macs, he'd have almost no work, because nothing would go wrong.
That's why I'm surprised you said you made much more money in Linux support. There are so many support calls for Windows, and they are so difficult to fix, and the people who own Windows usually know so little about computing, and are entirely at your mercy, that you can pretty much write your own ticket. The only advantage of Linux is that there are a lot less Linux specialists, so the price goes up. But even MCSE for most Microsoft products was just reading a manual of stuff that anyone could find out just by reading the help. MCSE for being a DBA on Microsoft SQL Server might cost you £5,000. But that job would pay £45,000, and you wouldn't need to be all that bright, only know how to read a manual, and how to follow instructions. Development was potentially even more lucrative, because Microsoft development products tend to be focussed on RAD, but have lots of failures in reliability. So provided you don't agree to cover all the support costs in your maintenance contract, but only the first hour, say, and charge for the rest, then you'll have a product ready to go in 3 months, with lots of support calls, that will cost your clients an arm and a leg.
Money for old rope, really.
Sure Microsoft are money grabbing **stards, who would like nothing more that to set up a DD for your wages from you to them every month, but at least there honest about it.
I mean do you have any idea what Opera get from their browser?
Or an even better study would be Google!!!
now theres a story. Of course Opera are getting money for their browser. So are Google. That much is obvious. SOMEONE has to be paying their wages, and they are produced by private companies, who are there for a profit. But what makes you think Microsoft aren't doing exactly the same deals? Bill Gates is a very savvy guy. His products are loaded with errors and bad design, but are very well marketed, and if anyone has cornered the market on copying what others are doing in IT, it's Bill Gates and Microsoft. If anyone in computing was going to spot a way to make money, especially if it was a way that others are doing already, it would be Microsoft. So have no fear, for every deal that Opera does with eBay or Amazon or Google, or the deals that Google has, there are 10 that Microsoft have already made. | |
|
|
Home
login 
