There has been some back and forth finger pointing in the last few days between Google and Microsoft over Chrome Frame. According to multiple reports, Microsoft has said that the Chrome Frame IE plug-in (which embeds Google Chrome JavaScript and HTML 5) into IE 6,7 and 8, puts IE users at risk. It’s a claim that Google disagrees with.
From my perspective they’re both right … and wrong. Here’s why:
Chrome Frame, like any plug-in for any browser, does provide extra functionality and code. As such, from a purely objective point of view, it does present a broader potential attack surface and new attack vectors. Simply put, when there is more code, there is more code to attack that is potentially vulnerable.
As well, the known risk from all plug-ins (highlighted recently with Adobe’s Flash) is that users do not update them as often as they should, leaving them at risk.
At this early stage, it’s not clear to me how Chrome Frame is updated. Though Google Chrome itself has one of the best updating systems around, providing transparent automatic updates to users.
On the other side of the equation, Chrome (to date) has not been as widely attacked as IE. There have not been nearly as many (not even close) publicly known vulnerabilities in Chrome or Chrome specific malware or scripting (XSS, CSRF etc.) attacks.