There has been some back and forth finger pointing in the last few days between Google and Microsoft over Chrome Frame. According to multiple reports, Microsoft has said that the Chrome Frame IE plug-in (which embeds Google Chrome JavaScript and HTML 5) into IE 6,7 and 8, puts IE users at risk. It's a claim that Google disagrees with.

From my perspective they're both right ... and wrong. Here's why:

Chrome Frame, like any plug-in for any browser, does provide extra functionality and code. As such, from a purely objective point of view, it does present a broader potential attack surface and new attack vectors. Simply put, when there is more code, there is more code to attack that is potentially vulnerable.

As well, the known risk from all plug-ins (highlighted recently with Adobe's Flash) is that users do not update them as often as they should, leaving them at risk.

At this early stage, it's not clear to me how Chrome Frame is updated. Though Google Chrome itself has one of the best updating systems around, providing transparent automatic updates to users.

On the other side of the equation, Chrome (to date) has not been as widely attacked as IE. There have not been nearly as many (not even close) publicly known vulnerabilities in Chrome or Chrome specific malware or scripting (XSS, CSRF etc.) attacks.

Additionally with the JavaScript sandboxing that Chrome provides, which is not something IE 6 or 7 users have, they actually get  a degree of process isolation which mitigates a lot of script related risk.

Personally, I think that Chrome Frame provides the most value to older versions of IE, in particular IE 6. Yes of course those users should upgrade. But the reality is to date they haven't for any number of reasons. In my experience those reasons typically include either ignorance or fear (or a combination of the two). Adding a plug-in is easier and less invasive.

The way I see it, Google is undercutting IE and Microsoft just doesn't like that. Yes there are potential risks, just as there are with any plug-in. The native risks to IE 6 users in particular, likely far outweigh the theoretical risks from Chrome Frame.

Article courtesy of