Microsoft says Google Chrome Frame doubles attack surface on IE8

Microsoft-Google browser war continues

Microsoft is claiming that the Chrome Frame plug-in Google designed to speed up Internet Explorer will "double" the attack surface in IE8.

As we reported in Network World earlier today, Google has taken the beta tag off Chrome Frame, saying the add-on for IE6, 7 and 8 will speed up Microsoft's browsers with HTML5 and advanced JavaScript technology.

Google tries to fix Microsoft's Internet Explorer with Chrome Frame

While Microsoft has made significant improvements in performance with Internet Explorer 9, that browser will only work on Windows 7 and Windows Vista, even though Windows XP is the most widely used OS. Google is, in a way, positioning Chrome Frame as an alternative for XP users who can't take advantage of IE9 and who have not made the complete switch to Google's Chrome browser.

Google took a shot at Microsoft with the release of Chrome Frame, saying that because of limitations in Internet Explorer, developers are sometimes forced to "limit the functionality of their apps."

In response, Microsoft is accusing Google of increasing the risk of attack by adding to the attack surface of IE8. Microsoft did not mention IE6 or IE7, although those browsers are out-of-date and Microsoft doesn't recommend using them anyway.

"With Internet Explorer 8, Microsoft made significant advancements to make the browser faster and safer for our customers," Microsoft said in an email to Network World. "Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

Google, of course, touts its own security features, such as a sandboxing method that "helps prevent malware from installing itself on your computer or using what happens in one browser tab to affect what happens in another."

Microsoft points to research by NSS Labs that says IE8 provides the "best protection against socially-engineered malware."

Microsoft's claim that Chrome Frame doubles the attack surface of IE8 is almost identical to what the company said last year when Google first began releasing details about the technology.

At the time, Google responded by saying that Chrome Frame was designed with security in mind and would bring Chrome's sandboxing and malware protection features to Internet Explorer, according to an article in eWeek

The latest argument is mainly a rehash of what was discussed last year, but now that Chrome Frame is out of beta we could be close to finding out whether Microsoft's security claims are correct. The first web applications to use Chrome Frame include Google's own services such as Docs and YouTube, so if Google was lax in security it could pay the price. 

Follow Jon Brodkin on Twitter.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.