Sure, Google Chrome Frame increases the Microsoft IE attack surface…

… but there’s more to the issue than what’s currently being bickered about.

Google’s Chrome Frame plugin for Internet Explorer is meant to incorporate web 2.0 functionality that the IE browser currently does not support. As reported in this Zero-day article Microsoft fired back claiming that Google’s plugin will double the threat landscape for Internet Explorer users and that they would not recommend this plugin to their relatives. While Microsoft’s statement has some theoretical truth to it — in the superficial conjecture that more code means more vulnerabilities — it naively discounts the beneficial security features the plugin can add to the system.

What’s more important are the implications on social engineering attacks as a result of this Google plugin.

Everyone knows Google. They dominate the Internet search market. People are also used to seeing Google links on tons of other people‘s websites, with AdWords sponsored links or Google Maps images. Google is a ubiquitous part of the Internet, or at the very least, a household name.

Given this context, how suspicious might the average web user be when confronted with a page that displays a message to the tune of:

“The page you requested requires this Google plugin. Click here to install…”

Disrupting the web user’s primary task with a “required plugin download” is a common tactic for malware distribution. Among the many attempts are several phony Adobe plugins. And the success of this strategy can be inferred by its growing use — note the recent adoption by Koobface malware.

I am confident it won’t be long before we will see spoofed versions of pages like this:

… where all the links point to a malicious download, not just the install button.

As some consolation, Internet Explorer 8 users at least will be well equipped to defend against such attacks, as NSS Labs Q3 Report rates IE8 as vastly superior in the detection of Socially Engineered Malware.