REALTIME IT NEWS
REALTIME IT NEWS
Newsletters Select newsletters below and click the button to sign up!
Internetnews BloggersRecent Entries
ArchivesMonthly ArchivesSearch The Blog
« Mozilla Firefox 3.6 Beta 3 released with 83 bug fixes |
Sean Michael Kerner Blog
| Google Chrome OS goes open source in Chromium OS »
Google Chrome Frame security flaw discovered by Microsoft From the 'I Told You So' files:
Back in September, Google launched Chrome Frame which embeds a Chrome-type browser inside of a Microsoft Internet Explorer(IE) browser. At the time, Microsoft claimed that Chrome Frame could make IE less secure. Guess what? Turns out Microsoft was right. Late Wednesday, Google issued an update to Chrome Frame with version 4.0.245.1 for a cross-origin bypass security vulnerability. "An attacker could have bypassed cross-origin protections," Google warned in its advisory. "Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue."What's also particularly interesting about this Chrome Frame vulnerability is that it was not discovered by Google itself. It was discovered by Microsoft. So to recap, Microsoft was worried months ago that Google Chrome Frame put IE at risk and now they've proven it. The flaw was discovered by Microsoft security research superstar Billy Rios (who speaks regularly at Black Hat events) and was reported to Google. If I read the notes correctly, all previous versions of Chrome Frame were at risk, meaning that since the day Chrome Frame launched in September until now, Chrome Frame users were vulnerable. To be fair, there were no public exploits that we know of, so it's not a zero day flaw by any measure. It is still ironic to note that Microsoft was in some respects correct in their fears about Chrome Frame. What is even more ironic though is that it is Microsoft (and not Google) that took the lead here in ensuring that Chrome Frame is secure for IE users. 0 TrackBacksListed below are links to blogs that reference this entry: Google Chrome Frame security flaw discovered by Microsoft. TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/9308 1 CommentsLeave a comment |
||
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
Digg
Del.icio.us
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google
Bookmarks
Yahoo
Favorites
Windows
Live
Ask
Ultimately, doubling the number of rendering engines in the IE browser doubles the attack surface. And since almost all code has got some vulnerabilities, it was a matter of when, not if.
This is what Chester Wisniewski blogged about at Sophos when this was first introduced:
http://www.sophos.com/blogs/chetw/g/2009/10/17/wrong-browsers-giving-control-admins/
If admins want their users to use Chrome, they should just install Chrome. Plugging Chrome into IE seems like a rube-goldberg contraption likely for failure.
Michael Argast, Security Analyst, Sophos