Microsoft researchers uncovered a flaw in the Google Chrome Frame plug-in for users of Internet Explorer.
According to Google, which patched the problem Nov. 18 with an update, the vulnerability could be exploited to bypass cross-origin protections.
The plug-in-which injects Google Chrome’s rendering engine into Internet Explorer-has been a source of controversy between Microsoft and Google in the past. In September, Microsoft warned that the plug-in made IE less secure, not due to any specific vulnerability, but rather the very idea of the plug-in itself.
“Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts,” a Microsoft spokesperson said at the time. “This is not a risk we would recommend our friends and families take.”
Google defended its actions, stating that the plug-in brought Chrome’s Web technologies to IE. Crediting Microsoft with finding the recent issue, Google noted that the vulnerability does not permit “persistent malware to infect a user’s machine.” The company said it is unaware of any exploitation of the issue.
The plug-in update also fixes several common crashes and a handful of other bugs.