Preston Gralla

Google Chrome add-in for IE: Speed demon or big, fat security hole?

September 24, 2009 12:19 PM EDT
Google's just released Chrome add-in for Internet Explorer can speed up IE by as much as 10 times, tests show. But if you listen to Microsoft, it also leaves you more vulnerable to malware and Web-based attacks. Who should you believe?

The Chrome Frame add-in released by Google was designed to solve several problems with IE. It will let IE work with HTML 5, which it currently doesn't. And it will speed up IE by letting it use Chrome's WebKit rendering engine and high-performance JavaScript engine.

Computerworld's Gregg Keizer reports that IE 8 using Chrome Frame "was 9.6 times faster than IE8 on its own." Computerworld ran the SunSpider JavaScript benchmark suite on IE8 a total of six times --- three with Chrome Frame, and three without. It then averaged the scores.

Microsoft claims, though, that the speed comes at a price -- a more vulnerable browser. A Microsoft spokesman told Ars techica that:

"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers. Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."
Microsoft may have a point --- but they have also likely overstated the case. It's certainly true that add-ins can make a browser less secure. But the implication of Microsoft's statement is that there is the same amount of malware targeting Chrome as IE8, which is very unlikely to be the case. Ars technica accurately points out that because Chrome has such a small share of the browser market, malware writers simply don't take the time to target it; it's not worth the effort.

In addition, the site points out, even if IE8 with the plugin installed encountered malware targeting Chrome, there's a reasonable chance that IE8's underlying security scheme would halt it.

So while it's technically true that IE8 with the Chrome Frame plug-in installed may be theoretically less secure than IE8 without the plug-in, in the real world, there's likely not a great security threat.