29 September 2009

Browser-in-browser virtualization security nightmare



So I've got five browsers running on my Windows laptop, three running on my Blackberry handheld, and at least one more on the Mac Mini. OK, this isn't exactly typical. But all these browser choices are available on the market today to consumers who want them. Most people still use IE, but Firefox now has a respectable market share (65% IE vs 26% for FF).  Apple Safari (4%), Google Chrome (3%), and Opera (2%) have a small but noticeable and growing share of the browser market. These figures don't include the matrix of OS's x Browsers. The browser market is finally competitive.

From an economic and feature perspective, competition is obviously a Good Thing.  At first blush it seems that it would be a security Good Thing as well, since there are more competing platforms to drive security fixes and avoid a monoculture.  But there's a new wrinkle in the browser security, which may be an indication of more problems to come.

Google Chrome is a stand-alone browser -- which I love for its speed and simplicity and hate for no adblock -- but its technologies are also now available as a plug-in to IE. Google Chrome Frame is an open-source project which allows you to essentially run Chrome inside of IE.  Geeky/neat functionality, to be sure.  But what a security outcry it has raised!

In rare agreement, Microsoft and Mozilla both slammed Google on Chrome Frame.  They pointed out that since browsers are now the primary route for infection on PC's, slamming two browser's worth of potential security flaws into one browser is asking for trouble. Each browser may have security bugs, and the combination of the two may open yet more holes. Microsoft also piles on to point out privacy implications: Chrome Frame breaks IE 8's private browsing.

As the latter article reveals, Google's answer isn't good: "Google Chrome Frame is an open source plug-in that is currently in an early developer release and was designed with security in mind from the beginning..." Open-source and developer releases are not excuses for lax security. If the security isn't there, don't release the code. Google's other point is that they can somehow magically secure old browsers, in particular IE6:

"Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users, providing strong phishing and malware protection (absent in IE6), robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months."

Again, this answer is not well thought out. There is a simple answer to improving security on IE6: don't run IE6. Yes, it's still supported by MS, but IE8 is out now; upgrade. Google Chrome Frame isn't a patch to IE; if there's a bug in IE6 allowing an attacker to gain a foothold, that bug is still there in IE+Chrome Frame.

I'm sure this little kerfuffle will blow over soon. Browser makers fighting with each other in public is just business as usual.  IE6 will end-of-life, Google Chrome Frame will improve its security and its mechanisms for integrating with IE, etc.  This is a harbinger of things to come, though. Browser technology is getting more complex, and complexity is the enemy of security. Chrome Frame is an early example of browser-in-browser virtualization. Just as desktop virtualization brings new security headaches along, so will browser virtualization.


Welcome to my nightmare.