Google barks back at Microsoft over Chrome Frame security

Computerworld - Google hit back at Microsoft today, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer (IE) safer and more secure.

"Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users," said a Google spokesman today. "It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months."

Although both IE7 and IE8 include a "sandbox" defense dubbed "Protected Mode," the feature works only when the browsers are run in Vista (IE7 and IE8) or Windows 7 (IE8). Google's Chrome Frame, however, prevents malicious code from escaping the browser -- and worming its way into, say, the operating system -- on Windows XP as well.

Yesterday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser.

"Running a browser within a browser doubles the potential attack surface in a way that we don't see is particularly helpful," said Amy Bazdukas, Microsoft's general manager for IE, on Thursday.

Bazdukas blasted plug-in security in general, and Chrome Frame specifically, while taking the latter to task because it busts IE8's private browsing features. "Chrome Frame breaks the privacy model of IE," claimed Bazdukas. "Users are not going to be able to use IE's privacy features, something that's not made apparent to users. They're essentially circumvented."

Google countered that its plug-in is secure.

"Google Chrome Frame ... was designed with security in mind from the beginning," the company spokesman added in an e-mail. "While we encourage users to use a more modern and standards-compliant browser such as Firefox, Safari, Opera or Chrome rather than a plug-in, for those who don't, Chrome Frame is designed to provide better performance, strong security features, and more choice ... across all versions of Internet Explorer."

According to Google, Chrome Frame receives automatic, behind-the-scenes security updates with the same mechanism used by the Chrome browser itself, relieving users of manually patching the plug-in.

The company is also investigating bugs filed with the Chrome team by Microsoft developers, who reported that Chrome Frame broke IE8's privacy mode.

Chrome Frame lets IE utilize the Chrome browser's WebKit rendering engine, as well as its high-performance V8 JavaScript engine. The extra speed and HTML 5 support are necessary, said Google earlier this week, if IE users are to run advanced Web applications such as Google Wave, a collaboration and communications tool that Google launched in May.

Google pitched the plug-in as a way to instantly improve the performance of the notoriously slow IE, and as a way for Web developers to support standards IE can't handle, including HTML 5.

The Chrome Frame plug-in works with IE6, IE7 and IE8 on Windows XP and Windows Vista. It's available from Google's site as a free download.

Read more about security in Computerworld's Security Knowledge Center.