Topics:
Microsoft
Microsoft and Mozilla Agree On Browser Risks
Microsoft started the ball rolling when Google announced the Chrome plugin for Internet Explorer. That plugin lets you avoid the limitations of IE's browser engine by replacing it with Chrome's browser engine, without leaving Internet Explorer. Microsoft responded to the announcement by saying, "Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take." Strong words indeed. Just yesterday, Mozilla joined Microsoft in warning about the security dangers of browser plugins. Mozilla's concern was with two plugins that Microsoft installs into Firefox: The .NET Framework Assistant and the Windows Presentation Foundation. Last week saw a record patch day from Microsoft, including fixes for security issues in these two plugins. But Mozilla went further than Microsoft, moving beyond strong words and popping up a dialog to Firefox users with a recommendation that they disable these two plugins. Both companies are right. Anything you add to a browser increases the attack surface and increases the potential for security issues. In the case of the Google Chrome plugin, though, this is mitigated by three things. First, the user must consciously decide to install the Chrome plugin for IE. Second, the author of a web page must add a META tag to request that the Chrome plugin be used for IE users who happen to have it installed. So it's unlikely that any IE user will accidentally find themselves running Chrome for a web page. Third, there aren't any particular security threats that seem to be targeting Google Chrome at the moment. Let's compare that to the two Microsoft plugins that find their way into Firefox. Neither of them are installed with any meaningful input from the user. Windows users have them delivered through Windows Update as high-priority items; if the system is set to install updates automatically, the user will need to dig deep to even see they were installed. These plugins have documented security problems with in-the-wild exploits. The reason Microsoft is so keen to have these plugins running in Firefox is that they support foundation Microsoft technologies. Developers are less likely to use those technologies if they are responsible for getting their users to install (and potentially update) such "Microsoft plumbing" plugins. As Firefox grows in popularity, Microsoft is in the uncomfortable position of needing to get those plugins into a browser they don't control. So it's great to see that Microsoft's Internet Explorer group and Mozilla's Firefox group agree on browser security, and even better that Mozilla has taken steps to protect Firefox users from a security threat put there by Microsoft without user consent. Perhaps the Microsoft IE folks can have a little talk with the Microsoft .NET Framework folks and convince them not to install browser plugins that the user didn't request. Then, Microsoft and Microsoft would both agree on browser security. « Friendfeed Traffic Drops Post-Acquisition And The First Employee Departs | Main | Verizon Levels Sights At iPhone With Droid Ads » |
| Sign Up Now For InformationWeek News Alerts |
This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
