Chrome Frame must be installed by the browser user, but it can be triggered automatically by Web site and application developers using a single HTML tag on their sites or in their applications’ code. Until those sites and applications are modified to call on Chrome Frame, users can manually force IE to use the plug-in by prefacing the URL of a site with the characters “cf:” (sans the quotation marks).
That was how Computerworld obtained the impressive SunSpider results for IE8.
The Chrome Frame plug-in works with IE6, IE7 or IE8 on Windows XP or Windows Vista. It’s available for downloading from Google’s site.
“With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers,” a Microsoft spokesperson told Ars. “Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.” The spokesperson also referred us to the latest phishing and malware data from NSS Labs, the same security company that found IE8 was the most secure browser in August 2009 via two Microsoft-sponsored reports
Plugins and add-ons are definitely a huge security issue; they usually remain unpatched longer than most and often end up doing more damage than vulnerabilities in the actual browser. As for IE + Google Chrome Frame potentially allowing for double the damage because the browser mutant would be open to a wider range of attacks, we’re going to have to call foul. Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we’re pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome’s security measures and would simply not expect Internet Explorer’s security layers.
What about the part about Chrome having security issues in particular? Soon after Chrome was first released in September 2008, vulnerabilities were discovered and loudly trumpeted. The new browser was quickly labeled insecure days after it was made available, and remained so until a patched version was released.
After that though, Google made sure to stay on top of things, and it has paid off. In March 2009, for example, Chrome was the only browser left standing after day one of the famous Pwn2Own contest, where security researchers competed to exploit vulnerabilities in web browsers, while Firefox, Safari, and Internet Explorer were all successfully compromised. Microsoft argues that Chrome only remained unscathed because nobody attempted to exploit it, but the fact remains that none of the researchers had vulnerabilities for Chrome in mind before going into the contest.