MS discovers flaw in Google plug-in for IE
Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.
The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in
Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems.
Microsoft and security researcher Lostmon are jointly credited with discovering the vulnerability in Google's browser add-on.
Google acknowledged the flaw and urged users to update to version 220.127.116.11 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google's security advisory here. ®
Testing of the browser is almost unnecessary. It's testing and redesigning the in house intranet systems that cost time and money. Some of that could mean complete rewrites as thousands of lines of MS-mutilated code needs to be brought back to standards compliance.
Of course they're going to have to do it sooner or later, so it seems odd so many are still stuck with IE6 after over 3 years. IE6 is now considered a security problem in itself.
Now if only
MS could fix the bugs in their own browser.
I just finished developing a website for a family member (something I don't do very often), only to find that it just doesn't work in IE. The worst thing is that IE does support the features I used, but it just doesn't work properly in all situations. Microsoft knew about and acknowledged these bugs before it released IE8 (I found they had been reported to Microsoft during the IE8 betas), but their response was essentially that they had better things to do than bother fixing such trivial matters as making the browser actually work as designed.
Stupid, stupid, stupid
Do not, not, NOT use cross-browser functionality plug-ins. Ever. I don't care if you're running FF, IE, OP or Ch. Trying to make one browser behave like another is inviting people to find chinks in the interface (in both use of the term).