HomePatch Management
November 19, 2009, 12:52PM

Microsoft Finds Security Flaw in Google Chrome Frame

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a "high risk" security vulnerability that could allow an attacker to bypass cross-origin protections.

[ ALSO SEE: Inside the Google Chrome OS Security Model ]

Here's the explanation from Google's Mark Larson:

  • Severity: High. An attacker could have bypassed cross-origin protections. Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

    * Network requests fail randomly.
    * Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result.
    * Don't use Google Chrome Frame for frames or iframes.
    * Follow redirects properly.
    * IE8 freezing intermittently.
    * Remove data directories on uninstall.

"All users should be updated automatically," Larson said.

Shorten URL: http://threatpost.com/en_us/laN. Click to copy to clipboard or post to Twitter

Comments

Submitted by Larry Seltzer (not verified) on Thu, 11/19/2009 - 2:10pm.

I suppose it's possible that some of the lesser bugs are also in Chrome but not yet updated because they're low-priority

Submitted by Finbarr Taylor (not verified) on Fri, 11/20/2009 - 8:50am.

I wonder how many people Microsoft have had working full time to try and discredit Chrome Frame since it was released.

Submitted by Anonymous (not verified) on Fri, 11/20/2009 - 9:06am.

And how many could have been fixing IE bugs instead.

Submitted by Ryan Naraine on Fri, 11/20/2009 - 12:21pm.

The MSVR team has been in place since 2008 (announced at Black Hat) and I'm sure they've found boatloads of vulns in other third-party software.  We only know about this one because MSVR was credited in the Google bulletin.

_r

Submitted by Anonymous (not verified) on Fri, 11/20/2009 - 1:10pm.

@Anonymous:8:06 am

If they are in the research group, then they are not IE developers. A better objection would be that they could have been looking for vulnerabilities within IE8 itself, but one could easily argue that they are by exploring the Google Frame, which is intended to be a major part of IE.

Chances are that they are doing the research to discredit Google Frame (and therefore, Google), but by finding one, they do prove that is was worthwhile.

Submitted by Dennis Fisher on Fri, 11/20/2009 - 1:19pm.

I think the MSVR and the SWIAT (Secure Windows Initiative Attack Team) are separate entities with separate missions. The SWIAT (which may have a different name now) guys focus on attacks on Windows and other MSFT products, and the MSVR is looking for vulnerabilities in 3rd party software. But I doubt the MSVR's reason for being is to discredit those vendors. MSFT has spent the last 10 years on the other end of that equation and I'd guess their main interest is in making the software that runs on Windows machines safer, because they know that Windows users tend to put all of the blame for security problems on MSFT, regardless of which software has the problem.

Submitted by Anonymous (not verified) on Fri, 11/20/2009 - 3:08pm.

"We're unaware of any exploitation of this issue."

We're also unaware of anyone actually using Chrome Frame.

Submitted by TigerBombs (not verified) on Fri, 11/20/2009 - 3:21pm.

Finding vulnerabilities isn't so much of an issue as having the vendor patch them quickly.  This has already been patched by Google.  I remember the days when Internet Explorer went unpatched for what like 2 years or 4 years at a time.  I just hope no one thinks that Microsoft is proving anything by finding software vulnerabilities in Chrome Frame.  Vulnerabilities will always exist - responsible vendors who patch quickly, those are the rarity.

Submitted by Peter Kasting (not verified) on Fri, 11/20/2009 - 3:49pm.

It's Mark Larson, not Matt Larson.

Submitted by Adam (not verified) on Fri, 11/20/2009 - 5:22pm.
Dennis, You're right--the security teams at Microsoft are interested in both Microsoft products and 3rd party software which runs on MS platforms. We have a lot of smart security researchers and they find lots of interesting bugs. I'm glad that we have a way to responsibly manage those with the 3rd parties. There's more information in a MSVR fact sheet at http://www.microsoft.com/presspass/events/blackhat/docs/MSVRFS.doc Adam
Submitted by Anonymous (not verified) on Sat, 11/21/2009 - 9:20am.

lol, IE is a virus/malware/adware sponge.  MS forces their .net plugin into firefox that was actually difficult to disable at first, turning firefox into the same virus/malware/adware sponge.  Then they find 1 problem with google and start making some noise.  hahahaha

Submitted by Anonymous (not verified) on Mon, 11/23/2009 - 7:42pm.

Google has just let loose the via Dev channel an updated build of its fast-paced browser, Chrome. According to its makers, Chrome 4.0.206.1, which can be downloaded from this page, features... for more visit:

http://www.techarena.in/download/chrome/google-chrome.htm

Submitted by Anonymous (not verified) on Fri, 12/04/2009 - 2:37pm.
Interesting to see that this comes on "threadpost", which is run by kaspersky - which in turn is owned by Microsoft :-)

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
Please enter the two words below to help prevent spam.
Incorrect please try again
Enter the words above: Enter the numbers you hear:
Get another CAPTCHA
Get an audio CAPTCHA
Get an image CAPTCHA
Help

 

Copyright © 2010 threatpost.com | Terms of Service | Privacy