"It's not necessarily that plug-ins aren't or can't be secure, but that running a browser within a browser doubles the potential attack surface in a way that we don't see is particularly helpful," said Amy Bazdukas, Microsoft's general manager for IE.
[ Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp, a 20-lesson course via e-mail that begins Sept. 21. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Bazdukas also said that by running Chrome Frame, Internet Explorer 8 (IE8) users were unwittingly discarding all the private browsing protections that Microsoft built into its newest browser.
"Chrome Frame breaks the privacy model of IE," she claimed. "Users are not going to be able to use IE's privacy features, something that's not made apparent to users. They're essentially circumvented."
Bazdukas also maintained that IE8's browser history deletion feature is crippled by Chrome Frame; users who decide to erase the history may think it's working, but it's not.
In a statement earlier today, Microsoft said using Chrome Frame is not "a risk we would recommend our friends and families take." Bazdukas, however, got more specific.
"We're not saying that there's a specific security vulnerability in Chrome Frame, but the concern that plug-ins in general have had regarding security issues adds a new potential threat when Chrome Frame is used. Users have told us that they're looking for a better and safer browser, and we can't see how [using Chrome Frame] will deliver that."
The extra speed and HTML 5 support are necessary, said Google, if IE users are to run advanced Web applications such as Google Wave, a collaboration and communications tool that Google launched in May.
Bazdukas tied Google's release of Chrome Frame to its rival's desire to promote Wave, but at the expense of IE. "Chrome Frame is all about supporting the impending release of Google Wave," she argued.
More irritating to Microsoft, though, is that Google is trying to profit from IE's position as the world's leading browser. "Google hasn't been able to make an impact on market share with Chrome," said Bazdukas, "and so they've turned to alternate means. Chrome Frame would look to capitalize on the leadership position that we have."
According to the most recent data from Web metrics company Net Applications, IE accounted for 67 percent of all browsers used last month, with IE8 holding a 15 percent share on its own. Google's Chrome, meanwhile, controlled just 3 percent of the browser market in August.
But Bazdukas declined to say whether Microsoft could, and if so, whether it would, somehow block Chrome Frame from being used with IE. "Our focus now is making sure that users understand the trade-offs they're making if they use Chrome Frame," she said. "People expect that things like IE8's privacy mode [will] work as advertised."
In the end, Microsoft knows what its users want better than Google, argued Bazdukas. "The many years we've been in the browser business, we've been able to get a lot of feedback from users," she said. "And they've told us that they're looking for security, privacy and reliability. With IE8, we think we've done a great job at delivering those to customers."
The Chrome Frame plug-in works with IE6, IE7, or IE8 on Windows XP or Windows Vista. It's available from Google's site as a free download.
This story, "Microsoft blasts Google over Chrome Frame plug-in" was originally published by Computerworld.