Google Answers Microsoft Chrome Frame Security Criticisms

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

Google has responded to Microsoft criticism that its Chrome Frame plug-in increases IE’s attack surface

Google hit back late yesterday in response to Microsoft’s claims that Google’s Chrome Frame makes Internet Explorer less secure.

Google Chrome Frame is an early-stage open-source plug-in that brings Google Chrome’s open Web technologies, such as the HTML5 canvas tag and JavaScript engine, to Microsoft’s Internet Explorer (IE) browser. Google introduced Chrome Frame on 22 September, stating that it can be used with IE versions 6, 7 and 8.

In response, Microsoft accused Google of expanding the attack surface for IE. Google meanwhile got in a dig of its own as it touted the security of its Chrome browser.

“With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,” a Microsoft spokesperson said Sept. 24. “Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.”

Part of the issue is that the plug-in seems to undo IE 8’s privacy features. According to Google, however, the plug-in was designed with security in mind from the beginning.

While encouraging users to use a more modern and standards-compliant browser such as Firefox, Safari, Opera or Google Chrome rather than a plug-in, a Google spokesperson said: “For those who don’t, Google Chrome Frame is designed to provide better performance, strong security features and more choice to both developers and users, across all versions of Internet Explorer.”

The spokesperson added that accessing sites with Chrome Frame brings the Chrome browser’s sandboxing and malware protection features to IE users. Microsoft, however, pointed to the results of a recent browser security test by NSS Labs as proof of IE’s security posture. The test was paid for by Microsoft as part of an internal company analysis of IE security. NSS Labs later posted the results for the public.

As the controversy continues, Google is encouraging public involvement in the development of Chrome Frame.

“We invite all parties with thoughts about Google Chrome Frame to explore our code and provide feedback about this technology [to] the open-source community,” the spokesperson said.