Microsoft Finds Security Flaw in Google Chrome Frame

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

[ ALSO SEE: Inside the Google Chrome OS Security Model ]

Here’s the explanation from Google’s Mark Larson:

  • Severity: High. An attacker could have bypassed cross-origin protections. Although important, “High” severity issues do not permit persistent malware to infect a user’s machine. We’re unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

    * Network requests fail randomly.
    * Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result.
    * Don’t use Google Chrome Frame for frames or iframes.
    * Follow redirects properly.
    * IE8 freezing intermittently.
    * Remove data directories on uninstall.

“All users should be updated automatically,” Larson said.

Suggested articles

Discussion

  • Larry Seltzer on

    I suppose it's possible that some of the lesser bugs are also in Chrome but not yet updated because they're low-priority

  • Finbarr Taylor on

    I wonder how many people Microsoft have had working full time to try and discredit Chrome Frame since it was released.

  • Anonymous on

    And how many could have been fixing IE bugs instead.

  • Anonymous on

    @Anonymous:8:06 am

    If they are in the research group, then they are not IE developers. A better objection would be that they could have been looking for vulnerabilities within IE8 itself, but one could easily argue that they are by exploring the Google Frame, which is intended to be a major part of IE.

    Chances are that they are doing the research to discredit Google Frame (and therefore, Google), but by finding one, they do prove that is was worthwhile.

  • Anonymous on

    "We're unaware of any exploitation of this issue."

    We're also unaware of anyone actually using Chrome Frame.

  • TigerBombs on

    Finding vulnerabilities isn't so much of an issue as having the vendor patch them quickly.  This has already been patched by Google.  I remember the days when Internet Explorer went unpatched for what like 2 years or 4 years at a time.  I just hope no one thinks that Microsoft is proving anything by finding software vulnerabilities in Chrome Frame.  Vulnerabilities will always exist - responsible vendors who patch quickly, those are the rarity.

  • Peter Kasting on

    It's Mark Larson, not Matt Larson.

  • Adam on

    Dennis, You're right--the security teams at Microsoft are interested in both Microsoft products and 3rd party software which runs on MS platforms. We have a lot of smart security researchers and they find lots of interesting bugs. I'm glad that we have a way to responsibly manage those with the 3rd parties. There's more information in a MSVR fact sheet at http://www.microsoft.com/presspass/events/blackhat/docs/MSVRFS.doc Adam
  • Anonymous on

    lol, IE is a virus/malware/adware sponge.  MS forces their .net plugin into firefox that was actually difficult to disable at first, turning firefox into the same virus/malware/adware sponge.  Then they find 1 problem with google and start making some noise.  hahahaha

  • Anonymous on

    Google has just let loose the via Dev channel an updated build of its fast-paced browser, Chrome. According to its makers, Chrome 4.0.206.1, which can be downloaded from this page, features... for more visit:

    http://www.techarena.in/download/chrome/google-chrome.htm

  • Anonymous on

    Interesting to see that this comes on "threadpost", which is run by kaspersky - which in turn is owned by Microsoft :-)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.