Google bypasses admin controls with latest Chrome IE
'Screw your BOFH. Install our plug-in'
Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines.
The new version runs a "helper process" when IE starts up that can then load the Chrome Frame plug-in when it's requested, and you don't need admin privileges to do so. "Yay for clever technical hacks that help users circumvent ossified IT bureaucracy," said one commenter on Hacker News. But admins aren't likely to feel the same.
Google is well aware of this. But the company says that if admins don't like it, they can use separate Google admin tools to stop it from happening.
Older versions of IE can sit on machines for years, as admins seek to ensure that custom web applications will run properly. What's more, many machines are still on Microsoft's Windows XP operating system, which means they can't be upgraded to Microsoft's latest version of Internet Explorer, IE9, the release that finally brought the browser into the modern world. IE9 won't run on Windows XP.
"Google Chrome Frame ... is a bridge of sorts," Google's Alex Russell said last month at Google's developer conference. "Instead of asking users to replace their browser – or asking IT organizations to run two browsers side-by-side – Google Chrome Frame puts the power of Google chrome inside Internet Explorer."
If you visit a site that has been set up to do so, it will launch Chrome Frame rather than Microsoft's native engine. And users can set Chrome Frame as their default engine via a registry key. Google also provides tools that allow websites to readily encourage users to install Chrome Frame, and some sites, including Yahoo!, are already doing so. Google's Gmail uses Chrome Frame, and the company says the email service runs 30 per cent faster on the plug-in than on older version of IE.
Google has long urged admins to adopt Chrome Frame, offering tools for managing the installations and updates of the plug-in, but now it's also allowing end users to install the plug-in without an administrator's approval. Last month, Russell briefly touched on Google's technical workaround – which involves the use a Browser Helper Objects (BHOs) – but he provided little detail.
"A very small portion of Chrome Frame lives inside the process space of IE," he said. "This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space." Google can do so even if the user doesn't have admin privileges.
When we asked Google about its end-run around admin controls, it pointed out that admins can still prevent the installation of the plug-in using Google Update controls. "An admin can still apply policies as before, if they wish," a company spokeswoman told us. "They can have a policy in place that will prevent users from installing Chrome Frame, if desired, just as they can any other Google software managed by Google Update."
It's a typical Google defense. The company is offering a way for you to prevent something from happening. But you first you have to realize it's happening. And Google knows that many will fail to realize it.
One wonders what Microsoft thinks of all this. But when we asked the company to comment, its response was guarded. "We believe we deliver the best out-of-the-box browsing experience enabling users to get the best of the web without needing additional plug-ins or add-ons," said a company spokeswoman.
"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers," the company told us. "Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."
Days later, Mozilla complained as well. Mozilla VP of engineering Mike Shaver pointed out that Chrome Frame sidestepped IE's built-in security tools, and he argued that it would end up confusing netizens. "The user’s understanding of the web’s security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit," he said, alluding to the fact that after you install Chrome Frame, individual websites decide when to launch it.
"It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," Shaver said.
Mozilla boss Mitchell Baker agreed. "If you end up at a website that makes use of the Chrome Frame, the treatment of your passwords, security settings, personalization, and all the other things one sets in a browser is suddenly unknown," she said. "Will sites you tag or bookmark while browsing with one rendering engine show up in the other? Because the various parts of the browser are no longer connected, actions that have one result in the browser you think you’re using won’t have the same result in the Chrome browser-within-a-browser."
With the release of the Chrome Frame beta the following summer, Google addressed some of this criticism. If you're using IE's private browsing mode and the browser flips on Chrome Frame, Google will turn on a similar setting. And in similar fashion, the plug-in also dovetails with IE's cache-clearing and cookie-blocking tools.
This may have satisfied some, but the latest version of the plug-in is sure to raise the ire of others. During his talk last month, Russell even acknowledged this. But his ultimate answer was to point admins to Google's official tools for managing Chrome Frame. "[Chrome Frame non-admin installs] scares the bejesus out of a lot of IT administrators. And admittedly, their concerns aren't wrong. If you're an IT administrator, you want your users to be running a locked-down configuration," he said. "So over the last year, we've done a lot of work to make sure Chrome and Chrome Frame can be administered in the way that you want."
There you have it. Google has offered a way for users to skirt admin controls. And if admins don't like it, they can put a stop to it by setting up other controls. Of course, many won't even be aware that "non-admin" Google Chrome Frame even exists. There's a reason Google has launched the thing. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016