Linked by Thom Holwerda on Thu 24th Sep 2009 19:17 UTC
Internet Explorer Earlier this week, Google launched Chrome Frame, a plugin for Internet Explorer 6/7/8 which replaces the Trident rendering engine with Chrome's rendering and JavaScript engine for better performance and superior standards compliance. Microsoft has responded to this release, claiming it makes Internet Explorer less secure. Note: What database category do I put this in? Internet Explorer? Google? Choices, choices!
Thread beginning with comment 386063
To read all comments associated with this story, please click here.
Microsoft is right
by foldingstock on Thu 24th Sep 2009 20:39 UTC
foldingstock
Member since:
2008-10-30

Mod me down, linux fanboys, but Microsoft is technically right.

Adding a third-party plugin, especially something that replaces the core browsing engine, does make IE less secure. With this plugin, IE can be compromised due to a security issue in IE code -or- Chrome's code. If a security flaw is found in Chrome's javascript rendering engine, any version of IE running this plugin will be vulnerable.

The same thing can be said about other plugins. Installing the Adobe Flash player plugin to IE or Firefox will make both less secure, since you are introducing additional code.

Microsoft is right because adding any plugin that expands software functionality will introduce new code that can potentially cause additional security problems.

Did Microsoft consider this before forcing a .NET add-on to be installed to Firefox via Windows Update? Certainly not.

Is this a marketing gimmick by Microsoft to scare people from using the plugin of one of their biggest competitors? Probably.

Is Microsoft wrong in saying this? No, they are technically correct.

Reply Score: 1

RE: Microsoft is right
by sbergman27 on Thu 24th Sep 2009 20:45 in reply to "Microsoft is right"
sbergman27 Member since:
2005-07-24

Mod me down, linux fanboys, but...

I agree, in principle, with the rest of your post. (Though I doubt the real-world difference will turn out to be significant.) But as a Linux advocate, I think it is reasonable to ask what purpose this quoted bit at the top of it was supposed to serve. Would not your post have been clearer and stronger without it?

Edited 2009-09-24 20:46 UTC

Reply Parent Score: 8

RE[2]: Microsoft is right
by foldingstock on Thu 24th Sep 2009 21:04 in reply to "RE: Microsoft is right"
foldingstock Member since:
2008-10-30

"Mod me down, linux fanboys, but...

I agree, in principle, with the rest of your post. (Though I doubt the real-world difference will turn out to be significant.) But as a Linux advocate, I think it is reasonable to ask what purpose this quoted bit at the top of it was supposed to serve. Would not your post have been clearer and stronger without it?
"

Simply because a large percentage of Linux users use it because they hate Microsoft as a company. I am tired of being modded down for saying something other than "OMG Microsoft sucks LOL!!!."

I have nothing against Linux or Linux users. I use Linux, Windows, and *BSD. I use whatever is best for the job at hand. I just don't like rabid fanboys.

I apologize if my comment offended anyone.

Reply Parent Score: 2

RE[2]: Microsoft is right
by umccullough on Thu 24th Sep 2009 21:08 in reply to "RE: Microsoft is right"
umccullough Member since:
2006-01-26

"Mod me down, linux fanboys, but...

I agree, in principle, with the rest of your post. (Though I doubt the real-world difference will turn out to be significant.) But as a Linux advocate, I think it is reasonable to ask what purpose this quoted bit at the top of it was supposed to serve. Would not your post have been clearer and stronger without it?
"

Eh, next time just mod him down for the use of a stereotype ;)

Edited 2009-09-24 21:24 UTC

Reply Parent Score: 8

RE: Microsoft is right
by Laurence on Thu 24th Sep 2009 20:53 in reply to "Microsoft is right"
Laurence Member since:
2007-03-26

Mod me down, linux fanboys, but Microsoft is technically right.

Adding a third-party plugin, especially something that replaces the core browsing engine, does make IE less secure. With this plugin, IE can be compromised due to a security issue in IE code -or- Chrome's code. If a security flaw is found in Chrome's javascript rendering engine, any version of IE running this plugin will be vulnerable.

The same thing can be said about other plugins. Installing the Adobe Flash player plugin to IE or Firefox will make both less secure, since you are introducing additional code.

Microsoft is right because adding any plugin that expands software functionality will introduce new code that can potentially cause additional security problems.

Did Microsoft consider this before forcing a .NET add-on to be installed to Firefox via Windows Update? Certainly not.

Is this a marketing gimmick by Microsoft to scare people from using the plugin of one of their biggest competitors? Probably.

Is Microsoft wrong in saying this? No, they are technically correct.


You're logic doesn't really work because if 3rd party plugins are seen a security threat then it's IE which is insecure for allowing 3rd party plugins to install in the 1st place.

If you want to talk about a specific plug in (Chrome) reducing IEs security, then you have to look at what the plug in specifically performs - which is rendering. And that plug in specifically IS more secure than trident (as well as more standards compliant).

Mod me down, linux fanboys, but Microsoft is technically right.


I really don't see what Linux has to do with this.
If anything, Google have proven time and time again that Chrome's priority is Windows - so why make such a comment if you didn't want to come across as trolling?

Edited 2009-09-24 20:56 UTC

Reply Parent Score: 6

RE[2]: Microsoft is right
by Bill Shooter of Bul on Thu 24th Sep 2009 22:44 in reply to "RE: Microsoft is right"
Bill Shooter of Bul Member since:
2006-07-14

Well, everyone pretty much admits that in general plugins are a security problem. Chrome is trying to find a way to sandbox them to reduce security risks.

But I would assert that plugins in IE are especially a security risk. As they have historically been exploited a number of times. I think Safari plugins have been as well, but not 100% sure on that.

Reply Parent Score: 2

RE: Microsoft is right
by license_2_blather on Thu 24th Sep 2009 22:03 in reply to "Microsoft is right"
license_2_blather Member since:
2006-02-05

Technically right, maybe, but certainly not fair.

This additional code = more attack surface assertion is equally true about Silverlight. But they are not steering their "friends and family" away from Silverlight, now are they?

Bottom line, it's the only thing Microsoft could do. They got served, as the kids say nowadays. Thanks, Google, for the entertainment!

Reply Parent Score: 3

RE: Microsoft is right
by Bill Shooter of Bul on Thu 24th Sep 2009 22:40 in reply to "Microsoft is right"
Bill Shooter of Bul Member since:
2006-07-14

They're not wrong, they're just assholes.

Reply Parent Score: 6

RE: Microsoft is right
by emilsedgh on Thu 24th Sep 2009 23:22 in reply to "Microsoft is right"
emilsedgh Member since:
2007-06-21

Technically, what you said is not right.

Each browser is built of two main parts:
1) HTML/CSS/Javascript handling part
2) Main application

What this plugin does, is to 'replace' the first part.
So its NOT 'adding' any security whole. If there is a security whole in trident (IE's html/css/js handling stuff) it will not be applicable when this plugin is active.

And since this plugin, is actually webkit, and webkit is far more safer and cooler than trident, practically it will increase the damn security.

Reply Parent Score: 1

RE[2]: Microsoft is right
by foldingstock on Fri 25th Sep 2009 16:26 in reply to "RE: Microsoft is right"
foldingstock Member since:
2008-10-30

Right, but if there is even one vulnerability in WebKit, it is a vulnerability that would not have been there had the WebKit plugin not been installed. That is the genius of Microsoft's statement. It doesn't matter that WebKit makes IE more secure than it is now.

Reply Parent Score: 1

RE: Microsoft is right
by lemur2 on Thu 24th Sep 2009 23:36 in reply to "Microsoft is right"
lemur2 Member since:
2007-02-17

The same thing can be said about other plugins. Installing the Adobe Flash player plugin to IE or Firefox will make both less secure, since you are introducing additional code.


I won't mod you down (despite you attempted slurs) because I don't do that, but I will gleefully point out the huge omissions in your (and Microsoft's) logic.

Silverlight. ActiveX. Are these not plugins too? Given IE's intrinsic very lackluster performance with ECMAscript, are these not required in order to get any king of interactive content over the web (albiet constrained to Windows clients) in the absensce of a standards-complaint capability such as Chrome Frame?

The other point of note is that Chrome Frame is open source. When one adds it as a plugin, one can see exactly what it does. It is auditable. It can be verified that it introduces no functions that are not in the interests of the owner of the client machine. Any flaws can readily be fixed by anyone (even if Google are somehow reluctant to fix one). None of these latter points are true for ActiveX or Silverlight.

Edited 2009-09-24 23:44 UTC

Reply Parent Score: 2