RealTime IT News

Google's Chrome Frame: Making IE Less Secure?


Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT


googlechromologo.jpgFrom the "My Browser is More Secure Than Yours" files:

There has been some back and forth finger-pointing in the last few days between Google and Microsoft over Chrome Frame. According to multiplereports, Microsoft has said that the Chrome Frame IE plug-in (which embeds Google Chrome JavaScript and HTML 5) into IE 6, 7 and 8, puts IE users at risk.

It's a claim that Google disagrees with.

From my perspective, they're both right ... and wrong. Here's why:

Chrome Frame, like any plug-in for any browser, does provide extra functionality and code. As such, from a purely objective point of view, it does present a broader potential attack surface and new attack vectors. Simply put, when there is more code, there is more code to attack that is potentially vulnerable.

As well, the known risk from all plug-ins (highlighted recently with Adobe's Flash) is that users do not update them as often as they should, leaving them at risk.

At this early stage, it's not clear to me how Chrome Frame is updated. Though Google Chrome itself has one of the best updating systems around, providing transparent automatic updates to users.

On the other side of the equation, Chrome (to date) has not as been as widely attacked as IE. There have not been nearly as many (not even close) publicly known vulnerabilities in Chrome or Chrome specific malware or scripting (XSS, CSRF etc.) attacks.

Next page: The value of Chrome Frame

[Continue reading this blog post at Netstat -vat by Sean Michael Kerner]