Biz & IT —

Microsoft: Google Chrome Frame makes IE less secure

Microsoft does not recommend that Internet Explorer users install Google …

The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure.

"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers," a Microsoft spokesperson told Ars. "Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take." The spokesperson also referred us to the latest phishing and malware data from NSS Labs, the same security company that found IE8 was the most secure browser in August 2009 via two Microsoft-sponsored reports.

Some of the points Microsoft makes in its statement are controversial, though it's not all simple PR talk. Plugins and add-ons are definitely a huge security issue; they usually remain unpatched longer than most and often end up doing more damage than vulnerabilities in the actual browser. As for IE + Google Chrome Frame potentially allowing for double the damage because the browser mutant would be open to a wider range of attacks, we're going to have to call foul. Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers.

What about the part about Chrome having security issues in particular? Soon after Chrome was first released in September 2008, vulnerabilities were discovered and loudly trumpeted. The new browser was quickly labeled insecure days after it was made available, and remained so until a patched version was released.

After that though, Google made sure to stay on top of things, and it has paid off. In March 2009, for example, Chrome was the only browser left standing after day one of the famous Pwn2Own contest, where security researchers competed to exploit vulnerabilities in web browsers, while Firefox, Safari, and Internet Explorer were all successfully compromised. Microsoft argues that Chrome only remained unscathed because nobody attempted to exploit it, but the fact remains that none of the researchers had vulnerabilities for Chrome in mind before going into the contest.

Also, Swiss security researchers concluded in May 2009 that people who use Firefox or Chrome are more likely to be running the latest version of the software when compared against Safari and Opera users due to their auto-update mechanisms which require less user interaction. Internet Explorer wasn't even mentioned in the study, though we know that it relies on Windows Update and doesn't have an automatic built-in updater.

Finally, and possibly most importantly, Chrome has a market share that is easily 20 times smaller than Internet Explorer's. Even if Google reaches its 10 percent market share goal, Internet Explorer would still be six times more widely used. Microsoft doesn't like to admit it, but the fact is that market share is a disadvantage when it comes to security. It's just more profitable for the bad guys aim for the largest crowd of marks.

Google made a point to say that its plugin brings some security features to Internet Explorer. "Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users, providing strong phishing and malware protection (absent in IE6), robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months," a Google spokesperson told Ars.

While Microsoft's jabs at Chrome were a bit over the top, its points about Internet Explorer 8's security are solid. The browser has great phishing and malware protection built-in, and is overall miles ahead of its predecessors. That said, even if Microsoft claims that IE8 is more secure than Chrome, and it did in June 2008, the fact remains that Google didn't just release the plugin for IE8. It works in IE6 and IE7 as well. These old browser versions are much less secure, especially in comparison to IE8 and Chrome 3. In August 2009, Redmond confirmed that while it would continue to push IE6 and IE7 users to upgrade their browsers, it wasn't going to make the decision for them anytime soon.

For all these reasons, we don't believe that Microsoft is in a position to say that Google Chrome Frame is an unsafe choice. We do, however, understand where the software giant is coming from.

Channel Ars Technica