As if anybody is surprised, Ars Technica reports that Microsoft recommends against Internet Explorer users installing Google Chrome Frame citing security concerns.
As I blug (I like that better than "blogged," for now) on Tuesday, Google Chrome Frame is a plug-in for Microsoft Internet Explorer that essentially instantiates the Chrome browser inside Internet Explorer.
Microsoft was quick to get the following statement to Ars Technica:
With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers. Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.
While a piece of malware may have two things to attack now, it would have to circumvent both Internet Explorer's security measures and Chrome's security measures in an attack. Given that Chrome was the only browser to make it through day one of the Pwn2Own hackfest in March, and given feedback from one participant stating its sandboxing feature posed a formidable challenge, it seems that it might be a while before someone even tries again. There is some debate about whether people didn't try as hard given its small market share. Nobody has said yet whether the Chrome Frame implementation differs enough from Chrome that an exploit could affect both in the same way. If users upgrade to IE8, considered very secure by many, then the issue may be moot. At that point, however, users on IE8 who install Chrome Frame are more likely to be trying new features instead of using it as a workaround to outdated browser features and support.
The big question is, how long before Microsoft changes its plug-in architecture in an IE update (for security reasons, I'm sure) that essentially disables Chrome?