×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Finds Security Flaw In Google Chrome Frame

timothy posted more than 4 years ago | from the they're-the-experts dept.

Internet Explorer 214

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

214 comments

Dude (5, Funny)

Anonymous Coward | more than 4 years ago | (#30169532)

MS Finds Security Flaw In Google Chrome Frame

Timothy, you owe me a new Transformers t-shirt. I just spat coffee all over myself.

Re:Dude (0, Troll)

erroneus (253617) | more than 4 years ago | (#30169912)

I had nearly the same reaction. Microsoft does not appear to be in the "finding security flaws" business and to my knowledge, this is the first I have ever heard of Microsoft's researchers finding anything. Seems to me Microsoft depends on its customers, competitors and 'haters' to find security flaws.

Re:Dude (3, Insightful)

blowdart (31458) | more than 4 years ago | (#30169954)

Then you haven't been paying much attention. Billy Rios has discovered the GIFAR problem [hackaday.com] with Java. Of course they're only looking at things that affect their software, in much the same way that Google doesn't go looking for software bugs in Microsoft products.

Why is it so surprising that security researchers employed by a company only look at that company's software, and aren't credited in the security patch reports for just doing their jobs?

Re:Dude (4, Interesting)

Anonymous Coward | more than 4 years ago | (#30170368)

> in much the same way that Google doesn't go looking for software bugs in Microsoft products.

You need to keep a closer eye on Microsoft bulletins, it actually happens regularly.

http://www.google.com/search?hl=en&q=site:microsoft.com+Google+intitle:"Microsoft+Security+Bulletin" [google.com]

Re:Dude (1)

blowdart (31458) | more than 4 years ago | (#30170532)

Dear god, that's impressive. Now if we read down and take all the "MS are doing this embarrass Google", would it be said for bugs reported from Google to Microsoft? No, don't be silly. *sigh* Hypocrisy abounds.

Re:Dude (1, Funny)

naasking (94116) | more than 4 years ago | (#30170490)

in much the same way that Google doesn't go looking for software bugs in Microsoft products.

To be fair, you don't really have to "look" to find bugs in MS products...

Re:Dude (0)

Anonymous Coward | more than 4 years ago | (#30170690)

Hurf durf.

Expected (1, Insightful)

Stratoukos (1446161) | more than 4 years ago | (#30169534)

I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

Re:Expected (3, Insightful)

Jojoba86 (1496883) | more than 4 years ago | (#30169572)

Great thing is even if they'd done the alternative and decided not to look for security flaws they can still get a bashing from the pro-Google crowd! Either way Microsoft loses!

Re:Expected (3, Insightful)

sa666_666 (924613) | more than 4 years ago | (#30169810)

Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate. You can bet that this whole situation is an embarrassment to Microsoft; it took another company to patch their software to work correctly, when they should have been able to do it themselves. Some egos were bruised in the process, and you can be damn well sure that there's a team willing to do everything they can to discredit Googles achievement.

So while I commend Microsoft on doing some testing on Google Frame, I don't commend them on the reason for Google having to write the code in the first place. Not to mention that their motives are suspect as well. If they can find a bug so quickly, what's their excuse for having their other products so buggy?

Re:Expected (3, Insightful)

spyrochaete (707033) | more than 4 years ago | (#30169890)

Sure, since the only reason Google had to create this code in the first place is because Microsoft wouldn't step up to the plate.

Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. IE9 will support it, I believe, though MS balked at supporting a non-final language.

I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels. It's a very Google ideal to embrace beta and subject users to technologies while they're still only half baked. Microsoft releases beta software too, but with warnings not to use the software in production. HTML5 is a good example of this difference of philosophy, and certainly so is this Chrome Frame plugin which is essentially a sloppy man-in-the-middle attack vector. It's like one of those obnoxious browser toolbars that acts as an intermediary to hijack all your search queries.

Re:Expected (1)

edumacator (910819) | more than 4 years ago | (#30169974)

I think this is all just an excuse for Google to turn up its nose at Microsoft by making them look like they're dragging their heels.

Really? I very seriously doubt that they did this just to turn their collective nose up at Microsoft. Might it be that they want a more usable browser, so they get more eyes on their own products?

I believe, though MS balked at supporting a non-final language.

Wouldn't you consider the fast pace of development a reason to at least support the most obvious standards. If our browsers wait for the final standards, that will slow the development process down. Now before you come flaming back at me, I'm not saying everything should be released bleeding edge, but there has to be some place in the middle that could be effective. You have to admit, IE hasn't had a stellar record of being a progressive, or even current browser.

Re:Expected (0)

Anonymous Coward | more than 4 years ago | (#30170004)

Standards are based on implementation. Standards committees rarely invent anything. If you think it's not established yet, you're already behind the curve.

As far as Microsoft dragging their heels, Microsoft has already dragged their heels and as proof, they only started showing up for HTML5 discussions a month ago even though they were co-chair of that working group.

The IEBlog released early details about IE9 and it looks like it will catch up to where all the other browsers were a couple years ago, yet IE9 won't be out for two more, making it at least 5 years behind everyone else. Talk about dragging their heels. Kicking and screaming I'd say.

Re:Expected (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#30170010)

Consider the landscape of alternatives, though.

Web designers have, for years, been depending on functionality that isn't even on any kind of standards track, much less maturely standardized. We call it Flash(and to a lesser extent other "rich content" plugins; but mostly Flash). Web designers have, frequently, depended on it for all kinds of things, it is often considered a must-have for web browsers, and is every bit as ghastly, if not considerably more so, in implementation.

By comparison, HTML5 is positively civilized. Chrome Frame is basically just an "HTML 5 Player" plugin, whose necessity will hopefully evaporate over time. It is, certainly, a kludge; but there are presently no alternatives to that. You can either give up broad swaths of web application features entirely, and deal with the oh-so-standard world of native application development; or base your webapp features on one or more plugins(flash, java, silverlight, etc.), or you can use HTML5 stuff.

Re:Expected (1)

tepples (727027) | more than 4 years ago | (#30170036)

Is this a comment about HTML5 support?

The 80 percent of Acid3 that Internet Explorer 8 fails can't be all HTML5. For example, where is SVG in IE8?

Re:Expected (1)

JasterBobaMereel (1102861) | more than 4 years ago | (#30170044)

HTML 5 not a standard yet .... Like HTML 4 was not a standard until 2000, but supported in every browser well before this, including IE (with IE only extensions)

And IE *still* does not fully support ISO HTML (HTML 4.01) Nine years later .....

Re:Expected (1)

clone53421 (1310749) | more than 4 years ago | (#30170306)

No, it's a comment on how (historically) awful IE has been with respects to security. HTML5 is just icing on the cake. If MS wants to reverse this trend they're going to have to put some serious effort into it – one decent browser, if we're going to call IE8 that, isn't enough to overlook the trend.

Re:Expected (1)

Aldenissin (976329) | more than 4 years ago | (#30170580)

Is this a comment about HTML5 support? The standard isn't even established yet so it seems irresponsible for web designers to use that format for their entire framework, and premature to consider it a must-have for web browsers. ....

What about the open document standard proposed by Microsoft? They expect everyone else to use a format for their framework that is on a standard that many testified didn't make technical sense and flat out wouldn't work as written. Yet there was an optional standard already being used in practice but they opposed it since THEY didn't come up with it and wouldn't put them in the advantage.

Re:Expected (1)

mcgrew (92797) | more than 4 years ago | (#30170752)

If they can find a bug so quickly, what's their excuse for having their other products so buggy?

That's an easy question. All their security guys are looking for bugs in other companies' products.

Re:Expected (3, Insightful)

Ed Avis (5917) | more than 4 years ago | (#30169630)

I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

Heh. If so, it's a good reason to use Google Chrome Frame. A program that has an active bug-finding team is more trustworthy than one where bugs and security holes are hushed up.

However, I don't think Microsoft would set out to help their competitor in this way.

Re:Expected (5, Informative)

Ginger Unicorn (952287) | more than 4 years ago | (#30169678)

At first i thought the "google has hurried out a patch" in the summary was a quote from MS glibly dismissing the notion of fixing the problem in a timely manner, but looking through the article it seems this is a remark made by the submitter.

Re:Expected,Christmas gifts,shoes,handbags,ugg (-1, Troll)

coolforsale115 (1682674) | more than 4 years ago | (#30170060)

http://www.coolforsale.com/ [coolforsale.com] Christmas is around the corner: And old customers can also enjoy the gifts sent by my company in a can also request to our company. Gifts lot,Buy more get the moreOnly this site have this treatmentOur goal is "Best quality, Best reputation , Best services". Your satisfaction is our main pursue. You can find the best products from us, meeting your different needs. Ladies and Gentlemen weicome to my coolforsale.com.Here,there are the most fashion products . Pass by but don't miss it.Select your favorite clothing! Welcome to come next time ! Thank you! http://www.coolforsale.com/productlist.asp?id=s76 [coolforsale.com] (Tracksuit w) ugg boot,POLO hoody,Jacket, Air jordan(1-24)shoes $33 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Handbags(Coach lv fendi d&g) $35 Tshirts (Polo ,ed hardy,lacoste) $16 free shipping competitive price any size available accept the paypal Thanks

Re:Expected,Christmas gifts,shoes,handbags,ugg (-1, Offtopic)

daveime (1253762) | more than 4 years ago | (#30170276)

coolforsale.com chinese sweatshop spam scam illegal copies

(Join the campaign to trash this asshole, get Google to associate his site with everything that is bad about the web).

Re:Expected (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30169782)

A security hole was found, and was patched. Who cares what Microsoft's motives were? This is competition, and it's working!

Re:Expected (3, Funny)

Narpak (961733) | more than 4 years ago | (#30169808)

In an attempt at humour I will add that making "IE less secure" seems redundant. Much like this post.

Re:Expected (4, Insightful)

Arancaytar (966377) | more than 4 years ago | (#30169894)

Good thing too. If competitors spent more time actively looking for bugs in each others' software instead of paying their marketroids to spread FUD, everyone would be better off.

Re:Expected (5, Insightful)

Gadget_Guy (627405) | more than 4 years ago | (#30169964)

I am willing to bet good money that Microsoft formed a team responsible for finding bugs in Google frame just to discredit them.

In that case, why didn't Microsoft loudly announce it to the world and shame Google?

Instead, they quietly reported it to Google so that they could fix the problem. Once the bug was fixed, Google acknowledged the security researcher who discovered the bug. This is exactly how the system is supposed to work so that everybody wins - we get safer software, Google doesn't have to "hurry out a patch" (without proper testing) and Microsoft gets the credit for the discovery. The bug gets fixed without tipping off the malware writers.

And why does everybody act so responsibly? Because next time it might be a Google employee that finds a bug in Microsoft's products. Microsoft would like to be afforded the same courtesy. Similarly, if Google didn't acknowledge Microsoft, then the next security researcher who finds a bug in Chrome may decide to get their credit by going public rather than following protocol. Remember that this public recognition is the same as an academic being published in a journal. It is how they build their reputation, and ultimately how they will get future employment.

At least they patched it (4, Interesting)

santax (1541065) | more than 4 years ago | (#30169540)

And not wait another week until it's patch-Tuesday.

Re:At least they patched it (5, Informative)

Tim C (15259) | more than 4 years ago | (#30169560)

Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

Re:At least they patched it (1, Troll)

EyelessFade (618151) | more than 4 years ago | (#30169868)

In linux they push patches all the time, but a company (like the one I work for) can still screen and test them before they roll out. They can also push it out faster if its a critical bug, and not have to wait for the vendor first.

Re:At least they patched it (3, Informative)

Anonymous Coward | more than 4 years ago | (#30170066)

Microsoft will release a patch "out of band" (not on patch Tuesday) when it is an emergency critical type issue. The others, they release on the same day so that corporations get the benefit of a single set of patches to look for and home users get all the patches with one reboot instead of a dribble of patches over the month, some of which require a reboot and some of which don't.

Re:At least they patched it (1)

TheNinjaroach (878876) | more than 4 years ago | (#30170430)

In linux they push patches all the time, but a company (like the one I work for) can still screen and test them before they roll out.

It works that way in the Windows world, as well. We have some kind of Windows Update server here that downloads all patches for all the flavors of Windows that we use. Then an administrator clicks approve for each patch and our local server pushes the updates to our Windows desktops and servers.

Re:At least they patched it (1)

QuoteMstr (55051) | more than 4 years ago | (#30169988)

Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

Delayed full disclosure (3, Informative)

tepples (727027) | more than 4 years ago | (#30170128)

Why can't vendors implement their own Patch Tuesdays? That is, Microsoft would release patches any time, and large vendors would simply allow them to accrue until their internal "Patch Tuesday" came around, at which time they'd test and apply the patches.

The vulnerability that the patch fixes is often disclosed along with the patch. So by the time the vulnerability becomes public, the script kiddies are likely already exploiting the vulnerability against targets with their own patch schedules.

Re:At least they patched it (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30170028)

Patch Tuesday is the fault of the big corporate customers, who demanded that patches be released on a schedule so they had more time to plan around testing and rolling them out.

I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

A true statement but not fully accurate. The reason they went to Patch Tuesday is, as you pointed out, at the request of their corporate users. What you don't point out is that the reason behind the request was because Microsoft was pushing out patches every time you turned around, in some cases daily. Some of these so called patches weren't just "fixes" but new functionality or functionality changes, not something addressing security vulnerabilities. Many times these functionality changes, and some of the security fixes, caused existing systems to stop working with no warning. This is why the corporate users really requested a scheduled patch system, they were tired of unexpected updates breaking the systems.

Re:At least they patched it (0)

Anonymous Coward | more than 4 years ago | (#30170074)

Listen to some customers, thats right. If you have a customer base like the one MS have, you can probably excuse every move on customer request.

If they had made their Update procedure a little more flexible, more customers might be happy.

It's called WSUS (1)

gravyface (592485) | more than 4 years ago | (#30170236)

You can tell WSUS to queue up and wait for approval before rolling any patches out -- the rest of us can get our patches when they're ready.

Re:At least they patched it (1)

naasking (94116) | more than 4 years ago | (#30170524)

I don't like it either, but it's not like it's something MS made up just to piss us off, they're doing exactly what their customers have asked for.

The customer is not *always* right...

Re:At least they patched it (4, Insightful)

heffrey (229704) | more than 4 years ago | (#30169698)

Yeah it would be much better if the patches came out like they do for Firefox so that every other time you start Firefox you have to navigate an update dialog!

Re:At least they patched it (4, Insightful)

santax (1541065) | more than 4 years ago | (#30169714)

That is a small price to pay for an updated browser that is secure against attacks that already are in the wild. Remember: the exploit always comes before the fix.

Re:At least they patched it (2, Funny)

Carewolf (581105) | more than 4 years ago | (#30169804)

Binaries installed or modified outside the packaging system is a security flaw, not to mention impossible to maintain. Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

Re:At least they patched it (5, Funny)

tokul (682258) | more than 4 years ago | (#30169900)

Everytime Firefox opens an update dialog, it is effectively asking me to take a shitload on my Linux installation... and kill a kitten.

Not on your Linux installation, but in your own home directory. Unless you run as root. If you do run Firefox as root, then you should not worry about kittens killed when firefox is updated. You kill them every second spend in your X session.

Re:At least they patched it (1)

FlyingBishop (1293238) | more than 4 years ago | (#30170406)

Well, sure, but that's only because I have


while [$TRUE]; do ; killall kitten; sleep 1; done;

In my .xinitrc.

Re:At least they patched it (1)

cloudmaster (10662) | more than 4 years ago | (#30170820)

That extra semicolon between the "do" and "killall" (and lack of spaces between the test operator and condition - unless you have a binary named [$TRUE]) is a clever way to prevent X from starting as root, but it'd be easier to just not type startx at all. Putting syntax errors in the .xinitrc seems sketchy.

Re:At least they patched it (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30170034)

Then your distro is fucking retarded. The update mechanism in firefox can be and, on my distro is, disabled. File a bug report with your distro.

Re:At least they patched it (3, Informative)

Nerdfest (867930) | more than 4 years ago | (#30169806)

The exploit usually comes before the fix, but not always. Firefox frequently deploys fixes for security hole they've found themselves where not even a 'proof of concept' exists. Many other applications are the same.

Re:At least they patched it (4, Insightful)

santax (1541065) | more than 4 years ago | (#30170000)

I know where you going here. But smart criminals don't publish proof of concepts. They just exploit and hope no-one will find the same exploit so it won't be fixed. Therefor I still stand behind my golden rule of security: the exploit comes before the patch. Although I suppose I can alter it a bit. The hole is there before the fix.

Re:At least they patched it (0, Redundant)

genik76 (1193359) | more than 4 years ago | (#30170278)

The browser shouldn't be so insecure it has to be patched constanly in the first place. No, I don't have any suggestions how to do it better, but there must be a better way.

Re:At least they patched it (1)

Rockoon (1252108) | more than 4 years ago | (#30170286)

Yes this "small price to pay" works very well in an environment where everything must be *certified* before being deployed... oh wait... no, it doesn't. Its all fun and games until half of your employees can't perform their work because some dipshit deployed before testing.

Re:At least they patched it (1)

heffrey (229704) | more than 4 years ago | (#30170760)

I'm very appreciative of the patches. It's the endless flow of dialogs that I abhor. Why can't they update it all in the background? I just want to use my browser, NOW!

Re:At least they patched it (1)

Gadget_Guy (627405) | more than 4 years ago | (#30170770)

Remember: the exploit always comes before the fix.

That is not true. One easy way of finding security holes to exploit is to examine what gets fixed by patches. It shines a spotlight on the security hole and puts up a sign saying "hack me!".

There are numerous examples of worms appearing after the official patch. There was the Sasser worm [wikipedia.org] :

The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier.

And the Blaster worm [wikipedia.org]

The worm spread by exploiting a buffer overflow discovered by the Polish cracking group [4] Last Stage of Delirium in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039.

Re:At least they patched it (2, Informative)

Anonymous Coward | more than 4 years ago | (#30169812)

I imagine 90% of your updates come from noscript. The author essentially just releases updates every few days just so that he can drive up views to his site and try to make money from it.

I guess that's his right, but it's annoying as hell and it's basically just made me stop updating noscript.

Re:At least they patched it (1)

jonwil (467024) | more than 4 years ago | (#30169852)

Me, I run Adblock alone and dont bother with noscript, its more trouble than its worth...

Re:At least they patched it (2, Informative)

Gadget_Guy (627405) | more than 4 years ago | (#30169996)

And not wait another week until it's patch-Tuesday.

How do you know exactly when the bug was first reported to Google? For all you know, they may have sat on the problem for a month.

It seems that they did batch the updates together, because this update to version 4.0.245.1 [blogspot.com] fixes 9 different issues.

Bad day for goodle (0, Troll)

Anonymous Coward | more than 4 years ago | (#30169544)

Not a good day for google...first a OS that can only run web apps...completely rejected by the community...& now this...

I can't believe this (0, Flamebait)

obarthelemy (160321) | more than 4 years ago | (#30169584)

MS has security researchers ?

Don't they have anything better to do than nitpick with an addon that 0.001% of the user base has ?

Come on !

they do (-1, Flamebait)

SmallFurryCreature (593017) | more than 4 years ago | (#30169610)

MS is VERY good at finding security flaws, in everyone else's products. It is their own products they completely overlook.

And this story once again proves that MS could improve its public image instantly with one simple statement. SILENCE. MS, really, hire a lawyer as your public relations advisor. A good lawyer who always tells his clients to "SHUT THE FUCK UP".

I had just about forgotten about all the bugs in MS software... and this made me remember the entire long list of highly exploitable bugs unpatched for months or even years. Great job.

Shut up? (5, Insightful)

blowdart (31458) | more than 4 years ago | (#30169982)

Microsoft didn't make any noise about this at all. The only reason you know MS discovered it was because google credited them in the update. So what exactly would shutting up do? Would you prefer them not to have told google at all perhaps?

Re:Shut up? (4, Interesting)

blind biker (1066130) | more than 4 years ago | (#30170446)

Yeah. For once, this case was conducted in a civilized manner, much to my own surprise. Yes, I admit I am surprised, because I expected a slightly different modus operandi from a company like Microsoft, with a uber-competitive, testosterone-saturated corporate culture. This, for me, more than any other, is a proof that Microsoft is changing.

Re:Shut up? (1)

blowdart (31458) | more than 4 years ago | (#30170628)

Actually you'll find that most security flaws are treated like this, in order to give the vendor time to patch. It's part of the whole responsible disclosure [wikipedia.org] credo. As an indication of how seriously MS take this they facilitated the disclosure of Kaminsky's DNS cache poisoning discovery. he was contracting there at the time. MS called all the major vendors, and hosted meetings [zdnet.co.uk] in Redmond to kick the whole response off. He talked about it at Bluehat on 2008. Heck even Bluehat [microsoft.com] itself demonstrates something. They had speakers from Adobe and other "rivals" this year, and after about a month they put the session videos up and available to all for free.

For the better good (0)

Anonymous Coward | more than 4 years ago | (#30169648)

Anything that helps this product improve ultimately helps that adoption of HTML5. Thank you, Microsoft! ;)

Awesome! (2, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#30169658)

Now, can you please fix the sanitiser in the IE8 output encoding? [theregister.co.uk]

So quick to point out mistakes in others software, but so slow to fix your own.

Re:Awesome! (1)

hyfe (641811) | more than 4 years ago | (#30169734)

Blærg. Finding vulnerabalities is a good thing. Fixing them is even better.

Microsoft just did a good thing. Google did too. The world just became a slightly better place.

If we just fixed the rest of the softwarebugs, ended world hunger, fixed the environment and I got together with my ex (whom I still a miss even a year afterwards..I'm such a f***ing loser) the world be kinda ok.

Smile :)

Re:Awesome! (0)

Anonymous Coward | more than 4 years ago | (#30169760)

So quick to point out mistakes in others software, but so slow to fix your own.

Exactly. They are probably pissed by Google trying to invade their browser so they'll try hard to prove this plug-in is buggy/useless/whatever.

Re:Awesome! (1)

Jeff DeMaagd (2015) | more than 4 years ago | (#30169968)

That's the problem, IE and Windows has historically required numerous patches, it would be nice if MS would do better to get their software fixed first. Finding flaws in someone else's software is not something I want to see when they don't really have their own house in order yet.

Re:Awesome! (1)

Antiocheian (859870) | more than 4 years ago | (#30169990)

Finding flaws in someone else's software is not something I want to see

I don't think you really believe that. Personally, I'd value the published discovery of a flaw not matter who the discoverer is.

Re:Awesome! (1)

Tim C (15259) | more than 4 years ago | (#30170730)

So... you're saying that they should have sat on this until they'd fixed all outstanding issues in their own software?

i can see it all now (1, Funny)

Anonymous Coward | more than 4 years ago | (#30169684)

Google makes IE less secure, users switch to real Chrome, google (somehow) profits!

I dub thee... (1, Funny)

Anonymous Coward | more than 4 years ago | (#30169688)

... the ``glass house'' security team. Stones complimentary from the house.

woah Microsoft has good eyesight (0)

Anonymous Coward | more than 4 years ago | (#30169728)

they can see the wood for the trees

Question (0)

Anonymous Coward | more than 4 years ago | (#30169770)

Does MSIE suffer from this exploit?

That's a good thing! (-1, Redundant)

phooka.de (302970) | more than 4 years ago | (#30169798)

In its attempt to make google look bad and to discourage usage of the plugin, Microsoft looks at it with great scrunity, possibly examining it in greater detail than their own software.

This is a good thing because it means that more errors are found more quickly and solved more timely.

At the same time, the error sounds less severe than what's in IE right from the start anyway...

Re:That's a good thing! (0)

Anonymous Coward | more than 4 years ago | (#30169910)

of course competitors software gets more scrutiny than their own... it was their reverse engineering team (later to be dubbed MSVR) that noticed a bug when they were ripping it apart.....

They were right (3, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#30169822)

The Chrome Frame was never a good idea for security. By making it opt-in for sites, like an other plugin, it dramatically increased the attack surface of IE. Now any attacker can exploit holes in IE, holes in the frame, or holes coming from the interactions between the two. If you want the features of the Chrome Frame in a more secure package, use Chrome.

DOuble whammy from Google (3, Insightful)

argent (18001) | more than 4 years ago | (#30169906)

Not only does this unholy merge of browsers increase the surface area for attack (though the idea of someone from Microsoft complaining about that is highly ironic), but like other Google software it brings in the Google updater.

For example, FTA: "All users should be updated automatically,"

Google updater allows a web page to push an update on you without any notification. I don't know what the security restrictions on that are, but I can't see what advantage that has over providing a separate update program that would justify the risks.

Google seems to be in the same state of denial about secure design that Microsoft was in in 1997. Let's hope they catch on... Microsoft really never has recovered from that era.

This is just a temporary inconvenience (2, Funny)

bbbaldie (935205) | more than 4 years ago | (#30169908)

Once we end all of this open standards silliness, and get you to do your internet business with safe, secure ActiveX and .Net, security woes will be a thing of the past!

Breaking news! (4, Funny)

davidbrit2 (775091) | more than 4 years ago | (#30169926)

We have early word that the security vulnerability goes by the name "Internet Explorer". Details are thin at this time, but we'll have more as the story develops. Janet, back to you in the studio.

Hell froze over! (0, Troll)

agoliveira (188870) | more than 4 years ago | (#30169958)

So Microsoft found a security problem in another company's software? Damn... maybe 2012 *is* real! The end is nigh!

... shipped a new version ... with a patch ... (1)

l3v1 (787564) | more than 4 years ago | (#30170020)

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

Case closed.

Makes you wish IE flaws were so short-lived.

Microsoft Vulnerability Research. Very funny. (0)

Anonymous Coward | more than 4 years ago | (#30170038)

"...a security researcher in the Microsoft Vulnerability Research"

Well at least they realise that Chrome is a vulnerability to Microsoft. Sadly for them, I doubt this announcement will stop the profit leak.

theres a proverb (1, Insightful)

rossdee (243626) | more than 4 years ago | (#30170042)

about removing the log from your own eye before removing the mote from your neighbours eye.

No wonder (1, Troll)

Exitar (809068) | more than 4 years ago | (#30170142)

that MS cannot find bugs in their products if they spend all the time looking for vulnerabilities in competitors products.

I wonder how much time & money (1)

goffster (1104287) | more than 4 years ago | (#30170698)

I wonder how much time & money they invested in finding a google bug than their own software?
My guess is more than the entire budget allowed for IE6.

This story should have been titled... (4, Insightful)

Dammital (220641) | more than 4 years ago | (#30170766)

... Microsoft security researcher confirms advantages of open source transparency
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...