Google bypasses admin controls with latest Chrome IE

'Screw your BOFH. Install our plug-in'

Combat fraud and increase customer satisfaction

Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines.

The new version runs a "helper process" when IE starts up that can then load the Chrome Frame plug-in when it's requested, and you don't need admin privileges to do so. "Yay for clever technical hacks that help users circumvent ossified IT bureaucracy," said one commenter on Hacker News. But admins aren't likely to feel the same.

Google is well aware of this. But the company says that if admins don't like it, they can use separate Google admin tools to stop it from happening.

Mountain View announced its "non-admin" Chrome Frame last month at its annual developer conference in San Francisco, but it has only just released a stable version of the new plug-in here. The change is part of Google's ongoing effort to bring the latest web applications to the older versions of Internet Explorer still running on so many machines across the globe. IE8 and earlier versions of Microsoft's browser lack support for HTML5, Canvas, and the latest CSS/Layout handling – not to mention slow JavaScript engines – but they're still widely used in the enterprise.

Older versions of IE can sit on machines for years, as admins seek to ensure that custom web applications will run properly. What's more, many machines are still on Microsoft's Windows XP operating system, which means they can't be upgraded to Microsoft's latest version of Internet Explorer, IE9, the release that finally brought the browser into the modern world. IE9 won't run on Windows XP.

In essence, Chrome Frame equips Microsoft's browser with the rendering and JavaScript engines at the heart of Google's Chrome browser, and despite vehement objections from Microsoft – and others – Google is intent on slipping the plug-in into as many existing installations of IE 6, 7, and 8 as it possibly can. On one level, Google is even hoping to get Chrome Frame into Internet Explorer 9, which does not support WebGL, the new standard for hardware accelerated 3D inside browsers.

"Google Chrome Frame ... is a bridge of sorts," Google's Alex Russell said last month at Google's developer conference. "Instead of asking users to replace their browser – or asking IT organizations to run two browsers side-by-side – Google Chrome Frame puts the power of Google chrome inside Internet Explorer."

If you visit a site that has been set up to do so, it will launch Chrome Frame rather than Microsoft's native engine. And users can set Chrome Frame as their default engine via a registry key. Google also provides tools that allow websites to readily encourage users to install Chrome Frame, and some sites, including Yahoo!, are already doing so. Google's Gmail uses Chrome Frame, and the company says the email service runs 30 per cent faster on the plug-in than on older version of IE.

Google has long urged admins to adopt Chrome Frame, offering tools for managing the installations and updates of the plug-in, but now it's also allowing end users to install the plug-in without an administrator's approval. Last month, Russell briefly touched on Google's technical workaround – which involves the use a Browser Helper Objects (BHOs) – but he provided little detail.

"A very small portion of Chrome Frame lives inside the process space of IE," he said. "This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space." Google can do so even if the user doesn't have admin privileges.

When we asked Google about its end-run around admin controls, it pointed out that admins can still prevent the installation of the plug-in using Google Update controls. "An admin can still apply policies as before, if they wish," a company spokeswoman told us. "They can have a policy in place that will prevent users from installing Chrome Frame, if desired, just as they can any other Google software managed by Google Update."

It's a typical Google defense. The company is offering a way for you to prevent something from happening. But you first you have to realize it's happening. And Google knows that many will fail to realize it.

One wonders what Microsoft thinks of all this. But when we asked the company to comment, its response was guarded. "We believe we deliver the best out-of-the-box browsing experience enabling users to get the best of the web without needing additional plug-ins or add-ons," said a company spokeswoman.

Microsoft wail

Chrome Frame first hit the web in September 2009 as a developer preview, when Mountain View was preparing to expand access to Google Wave, the now-defunct communication platform that relied heavily on fresh standards such as HTML5 and requires rather speedy JavaScript and DOM performance. The day the plug-in was first released, Microsoft let out a wail.

"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers," the company told us. "Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

Days later, Mozilla complained as well. Mozilla VP of engineering Mike Shaver pointed out that Chrome Frame sidestepped IE's built-in security tools, and he argued that it would end up confusing netizens. "The user’s understanding of the web’s security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit," he said, alluding to the fact that after you install Chrome Frame, individual websites decide when to launch it.

"It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," Shaver said.

Mozilla boss Mitchell Baker agreed. "If you end up at a website that makes use of the Chrome Frame, the treatment of your passwords, security settings, personalization, and all the other things one sets in a browser is suddenly unknown," she said. "Will sites you tag or bookmark while browsing with one rendering engine show up in the other? Because the various parts of the browser are no longer connected, actions that have one result in the browser you think you’re using won’t have the same result in the Chrome browser-within-a-browser."

With the release of the Chrome Frame beta the following summer, Google addressed some of this criticism. If you're using IE's private browsing mode and the browser flips on Chrome Frame, Google will turn on a similar setting. And in similar fashion, the plug-in also dovetails with IE's cache-clearing and cookie-blocking tools.

This may have satisfied some, but the latest version of the plug-in is sure to raise the ire of others. During his talk last month, Russell even acknowledged this. But his ultimate answer was to point admins to Google's official tools for managing Chrome Frame. "[Chrome Frame non-admin installs] scares the bejesus out of a lot of IT administrators. And admittedly, their concerns aren't wrong. If you're an IT administrator, you want your users to be running a locked-down configuration," he said. "So over the last year, we've done a lot of work to make sure Chrome and Chrome Frame can be administered in the way that you want."

There you have it. Google has offered a way for users to skirt admin controls. And if admins don't like it, they can put a stop to it by setting up other controls. Of course, many won't even be aware that "non-admin" Google Chrome Frame even exists. There's a reason Google has launched the thing. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.