Feeds

back to article Google bypasses admin controls with latest Chrome IE

Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines. The new version runs a "helper process" when IE starts up that can then load the Chrome …

COMMENTS

This topic is closed for new posts.

Page:

A better way

Would be for corporate IT admins to concentrate on delivering central services through a web interface and leave users and departments to sort out their own desktops.

0
40
FAIL

Obviously you aren't a BOFH

Let me tell you how this works. Users whine and whine until someone higher up caves and insists they get given admin rights and manage their own desktops. Naturally after a (very) short period of time said desktops become riddled with viruses and malware (I've known users to uninstall anti-virus because 'it kept telling them they had a virus'. No, really.). Then they whine and whine and whine that they can't do any work because 'the computers are crap' and demand 'new' computers. (DON'T ask me the logic behind this - they just do). This goes one of two ways. If money is available, someone higher up might approve purchase of 'new' computers, which of course are 'better' as they are clean installed when they arrive. If money is not available, after lots of meetings IT get given the go-ahead to re-install the machines (at a huge waste of time). IT remove admin rights from desktops as a point of good practice, after which users begin whining again that they 'can't do anything' on their computers (where 'do anything' means uninstall anti-virus, install Bonzai Buddy, etc etc etc.) Eventually someone will cave above, etc. - repeat.

This will typically repeat until the day the whole organisation goes down with a worm, after which IT suddenly get the ear of the higher-higher ups which usually actually listen when real money is involved, and eventually users are just told to get on with it without admin rights.

Next of course we will have this whole whinge-a-round with virtual desktops, but ensuring certain directors share a blade with certain CPU stealing infected desktops should put a pragmatic end to any complaints.

21
2
Facepalm

Why?

So you can install the latest 'awsum serch bar' that comes attached to that innocent looking screen saver? So you can plug in your own usb stick complete with whatever infections your home computer currently has?

It is not your computer, don't expect to treat it as such. You might think its not a big deal if your desktop gets a virus when everything is accessed through a browser (Cos I.T. will fix it - right), but they have a nasty habit of replicating. What if something hijacks your email and sends itself to everyone in the company? What if that virus somehow managed to get as far as the servers? Our job is to ensure as much uptime as is possible to help you be productive. Allowing end users to do what they like is not the way to go about that, damn right we lock you down as much as we can.

AC - cos working!

11
2
Silver badge
Thumb Up

of course!

Im sure that would work really well in a school environment!

Actually i'll just add the google frame to the "insta quarantine" in the AV control panel. Thats a quicker way of sorting it out.

3
2
Silver badge
FAIL

As Walt Mosspuppet would say...

Idiot

3
1
Thumb Down

Oh give me a break....

I've been a local admin on my machine(s) for about the last 7 years.

I never bothered a helpdesk, never had any virus issues and everything is going swimmingly.

However, my 3yo dell is literally crawling. One would think it's due to the immense amount of crap I've installed. Well, it's you guys. You and your silly little bits and pieces that hog my otherwise pretty capable laptop.

- Daily inventory of what the computer has in it

- More software auditing

- Synchronising everything at arbitrary times

- A/V running at pre-configured times without regard for a user's schedule (that's why I became a local admin in hte first place)

- Connecting to a multitude of shared drives

- Logs, logs and more logs and then synchronising of those logs

- Allowing all sorts of unecessary services to be running for no one's benefit (I soon put an end to that)

As soon as the lappy is out of the corp network and decides that all the above won't happen, it literally flies!

Now, who's hogging shit?

As for "more money for kit" well, gratz to our geniuses for intalling the entire range of MS's bullcrap on a measly 2GB of RAM. For the record, I went out and payed myself of a couple of sticks which I duly replaced.

Not to mention that our hardware goes ourdoors in the field and yet it's me who pays for the stupid air and spends half a day every fortnight cleaning the thing. Oh bummer, I should just let it clog up and then whine for a replacement, shouldn't I?

P.S. Not every local admin is a complete idiot

P.S. 2: Educate your users. The amount of time/money I've saved our helpdesk by resolving my colleagues' problems would make for a nice xmas bonus by now!

P.S. 3: A_C for obvious reasons

8
20
Thumb Down

@AC 10:13

Oh noes, they made you has audit software! THE BASTARDS! How dare they try to, eg, ensure they're not made liable for someone installing the Totally Legit PirateBay Edition Adobe Suite!

You may not be a numpty, but there are a fuck of a lot of numpties out there and when you're dealing with hundreds, thousands or tens of thousands of machines the sane operating principle remains "deny all except".

Educating users is a great idea, assuming the users actually understand. The reason a lot of sysadmins still have jobs is that for a fuck of a lot of users, computers are still magic boxes that bring the Internet home and let them play games.

I'm somewhat surprised that you've not been able to make a case to your local IS team for how to practically improve the user experience by making some simple changes to login scripts, based on your complaints. Assuming you've actually bothered to engage them instead of just assuming they're dicks for not letting you have what you want straight away...

15
3
Silver badge

@AC

Yes, I share your pain, being a reasonably capable "local admin" myself, with responsibility for several machines. Having to work with work-supplied machines that are less than optimal according to my preferences is always horrible (being forced to use IE, for instance). However, I accept that I (and you) are in the minority, and would definitely not advocate allowing most people to have a significant amount of rights over their machines! The existence and spread of malware is entirely because of fuckwits who install whatever crap takes their fancy, and then spread it around through their equally unsanitary computer activity (plugging in their virus-ridden MP3 player to download music so they can get around their download cap at home, for instance).

If you don't think this happens, then you are extremely naive. Education only goes so far before you need to start removing degrees of freedom from the user.

2
0
FAIL

Nobody told you?

That the great Explorer domination-by-web-interface plan was the root of so many security problems, then? I think you must be posting from about 1997?

0
1
Stop

Well...

It may be true that not every local admin is a complete idiot.

However, it may possibly be true that your corporate admin is an idiot.

Rather than blaming IT for having to jump through the hoops to cover their ars*s when the rules come down from on-high about monitoring and compliance rules, perhaps you should consider that whoever you (or your seniors) hired to keep track of things is either incompetent or forced to follow the same degree of stupid rules that you have to. The only problem is that the admin has to enforce those stupid rules.

Also, for pedantry's sake, I'm willing to bet that your laptop does not 'literally fly'.

1
0
Silver badge
FAIL

Right...

Presumably you are not an IT person as such, rather a "gifted amateur".

Two things immediately spring to mind:

1) Who carries the can when things you have done to your laptop cause it to go belly up? Don't tell me your IT department repairs things for free.

2) I presume that in order to be in post and be issued with a laptop by your employers, you are expected to do some work from time to time. If you are not working for the IT department why are you wasting your employer's money doing stuff for which they are not employing you?

4
1
Pint

Valid questions...

Yes, I'm just an amateur, but with a healthy appettite for new knowledge.

Q1: When I'm willing to pay myself for a RAM upgrade how likely is it I'd ask my IT dept to foot the bill?

I was involved in the purchasing deal and all H/W comes with on-site repair warranty for 3 years and they're then replaced as soon as that expires. Colleagues who don't clean/look after their kit,have it bricked much earlier than the 3 years and the IT guys hold a bank of spares for these eventualities. I actually make mine last way longer than others with similar jobs as I tend to clean it thoroughly and regularly (as we're allowed to buy them for a token price at replacement time, so this little dell is in essence, my mum's next lappie).

Q2: I'm glad it's you asking this and not my boss, nuff said :)

Re S/W audits: I don't object to the principle, I object to the frequency. And I think a much better way would be to skin alive and in public the first person found in breach. That would focus peoples' minds way better than any audits. Or better, any non-compliant S/W found must be bought with funds coming from the idiot's takings (Acrobat anyone?). Responsibility works both ways and despite everyones' downvotes, I prefer people were made to be responsible and live (or die) by that freedom. You're not my legal guardian so you should neither answer for my failings or prohibit me from doing (and paying for) them.

1
0
Devil

Hmm...

*kzzz-ert*

4
0
Silver badge
Coat

@AC,,

Look, I'll break it down to you.

On the one hand, sysadmins are lazy. And that's actually a good thing because instead of doing something manually each time, they'll stop and make the time to write a script so that it takes one command and 5 minutes to fix something, but tell their pointy haired managers it will take an hour. or a couple of hours. (A good admin always exaggerates the amount of time something will take so that they still look like heroes and in the event something goes wrong with the fix, they don't have to take time to explain in detail what they are actually doing....) Lazy system admins also don't like to be disturbed by silly gits making unreasonable requests like supporting non-approved hardware, knowing that once they help you, they can never refuse to support it....

On the other hand. There are your typical users, smart users, and super users who used to be admins in their past life and know the drill.

The typical user actually does the things the anonymous BOFH talks about. They are that stupid.

You would be considered a 'smart user' but still too dumb to realize all of the ways your PC can be infected by 'drive-by' incidents. Meaning you're not paranoid enough to be given control.

Then there are the super user class. These are the guys who work in IT, build their own PCs, maintain their friends and family pc's, have a small network of Unix/Linux boxes in their basement. Now these are the people who respect and understand why the IT guys lock down the PCs and know enough not to complain. They also know enough to get a dozen of the really good doughnuts (not the stuff from Dunkin Doughnuts where they give you their day old stuff and pretend that its 'fresh'.).and present it to the IT dept head as he asks for a special favor.

(Beer works too but only if you know the staff is going out for drinks and where they go for drinks because they normally want to avoid silly gits who pester them for administrator access on their PCs.)

So yeah. you may bitch, but the fact that you bitch means that you don't know what you don't know and that makes you dangerous.

Yeah I know its a catch-22, and that's the point.

Mine's the jacket with the old worn BOFH shoulder patch as I head out the door after getting a text telling me where the system admins are going for their drinks because they know I'll be buying them a round or two. :-)

1
0
Meh

@Turtle Fan

The problem with the "skin the first offender alive and make an example of 'em" approach is that, if you can't prove you have existing policies in place that try to stop them doing what they're doing, you run the very real risk of a harrassment/unfair dismissal charge, and if your company's already not doing IT properly, how likely do you think they are to want to run the risk of that sort of legal grief?

Whether or not you rate your IT, the principle of locking down machines and removing local admin is underscoring the machine's state as a work tool, rather than a toy that you get to do with as you please. It doesn't help when some big corporates handle it badly, but having seen how often admin rights + laptop + work-paid-for home broadband leads to "I don't know how that virus, or all those pornographic downloads, or those various pieces of pirated software with my name as the registered user, got onto this computer, honest guv", I maintain that in terms of minimising downtime for users and unnecessary work for the support team, limiting administrative access is the way to go. The problems you describe are failures in your IT team's operational model, not reasons for you to be admin. You being an admin fixes the symptom, not the problem.

0
0

for the record

just for the record I built my first PC in the late 90's after uni and have been building them myself since. I too have a small network of boxes but they're mostly NAS's and supporting my wireless cameras round the house etc. All of which are connected in a vpn with my holiday home's 2 boxes.

And as for support, I've ended up building and maintaining about 7 more boxes of the entire extended family.

Yet, the only fully locked down box/account is my 9 year old nephew's. Everyone else has admin credentials to elevate their accounts if need be.

I'm more willing to accept Captain Underpants' version of symptoms/ailments. When any senior in our top 3 tiers of management can plug in a USB stick and go away with the "family silver" (and the leavers/dismissed ones regularly do), then fretting over installing ABP in FF and the like is just pants.

0
0
FAIL

Best Reason ever....

..to ban Google or anything connected with Google from an Enterprise network.

I wonder how their revenue stream will fare while their busy forcing people onto Bing?

As usual, they miss the point..If Enterprises are still using XP/IE8- thats probably becasue they've got so many internal web apps they can't test them all, which is an environment that would make them very leary about a browser functionality install that can bypass policy settings.

13
6

XP & IE6

The last place I worked had 120,000 employees worldwide, and 100,000 PCs and laptops worldwide. Seem like a perfectly valid reason not to upgrade.

Want email and access to the web???, make the business case otherwise make do with internal mail and the intranet, and depend on your 'friends' to email you the latest porn/mp3/virus/worm

0
0

Helping enterprises move bit-by-by is the whole point

Hi AndrewG,

I'm an engineer on the Chrome Frame team.

One of the major features -- some say, the entire point -- of Chrome Frame is to help the organizations you're talking about migrate to a less legacy-dependent world without changing everything all at once. Chrome Frame only renders the pages that opt-in, meaning those legacy IE6-only systems keep working.

As the article calls out (waaaaay at the bottom), Chrome Frame also provides full administrator controls, group policy templates, and MSI's for controlled deployment. Don't want it on your network? Just push a template and no version will install, not even per-user. Want it everywhere, centrally managed, and updating on your timeframe? Push the policy and the MSI as you see fit.

GCF doesn't bypass policy settings, it enables them in ways that allow organizations to move bit-by-bit, removing the economic hurdles to adopting better browsers one app at a time, not as a single, risky leap.

Regards

3
3
Mushroom

And out of the shadows...

Its too funny.

Sorry but anything in a corporate environment that bypasses IT's control is a bad thing.

Oh wait, this feature was from the same company that is trying to patent the process of sneaking on and stealing information from personal wi-fi networks where the end user didn't set up at a minimum WEP encryption. (Yeah I know WPA2 but WEP is still out there.) And didn't they say it was all mistake when the captured all of the data they illegally sniffed?

Sure we don't bypass admin controls if you do the following *after* the fact...

0
0
Silver badge

Out of curiosity, slightlyoff ...

What flavo(u)r was the goolaid?

0
1
Mushroom

Nice exercise in logical contortions there

No, actually, administrators expect that if people do not have Local Admin rights on their machines, they should not be able to install anything that allows them to circumvent the IE security settings and configuration that is generally put there for a specific reason.

So now you're telling us that after circumventing Windows's default protection in that area, WE now have to install some frigging GPO to undo the chaos you're causing?

Thanks so much for that.

0
0
Silver badge

Easy fix.

Don't use microsoft or google products. It's been working for me for coming up on a year and a half now, with absolutely zero negative impact on my "internet and computing experience", whatever that is.

11
11
Meh

Easy fix?

So what do you use for search then - Yahoo!? Or Baidu?

One way or the other, if you want to get the best from the Web you need to be able to search. And to get the right answers, you need a good search tool. And by definition, the bigger search engines are better at finding general stuff (because they use user-optimised search algorithms; the more users, the better the results).

And the bigger the search engine, the more power it has and thus the more power to do evil(TM). This is valid for all big search companies.

Of course you might live in a world where a specialist search tool like Wolfram Alpha works for you - but for the average Joe, simply avoiding Big Search is not an option.

2
1
Silver badge

Cutsom apps = Not so easy fix.

Many older custom web-based apps are tailored for older IEs and break in newer browsers. Chances are no one knows the internal workings of the thing and building a new version will take time and money, neither of which may be available in the budgets for a significant length of time. It's not in the home sector but in the business sector that you find the problem of "unpatchable" PCs: PCs past the support EOL but impossible to update because doing so would break the key applicaitons used in day-to-day operation.

0
0
Silver badge

good idea!

Apart from central control of proxies is quite poor in firefox/opera. Oh and GPOs dont work in firefox or opera either.

NTLM has its uses for SSO, GPOs take good care of making sure the little monkies arent tinkering too much. This sort of behaviour is virus like IMHO and has been treated as such.

1
0
Bronze badge

How sad...

These problems were predictable. There is a large flock of IT chickens coming home to roost.

The downside of this is that we don't know what Google Frame might do--new bugs and new loopholes--but the upside is that it gives users access to today's external webspace.

The big idiocy is that Google are bypassing limits set by the owners of the computer. The user doesn't have authority to give Google permission to install this software. Running software on a computer without permission--that sounds like a criminal act, under the Computer Misuse Act.

But I'm no lawyer.

3
0
Happy

You can get firefox to work with GPOs

Have a look for frontmotion community edition. It comes packaged as an msi with mozilla.adm to control the per computer config and firefox.adm to control the per user config. We deployed it recently and it works very well.

Still, it's the kind of thing Mozilla should have done themselves if they are serious about making it onto the enterprise desktop.

1
0
Silver badge
Happy

Yahoo or Baidu

I think you'll find that Jake (motto: why would I ever need more than 80x24 characters?) uses Gopher.

1
1
Silver badge

Gopher? Nah. Only me Great Aunt still uses Gopher ...

... She's been using it to publish the 95+ years of her life's story these last 17 years. It works for her, so who am I to suggest she get a trifle more modern? (True, I maintain the server-space ...).

I can't remember the last time I used a search engine, outside of Wikipedia[1].

And no, I don't just use 80X24 ... Sometimes I need to crop pictures ;-)

[1] I don't trust Wiki, mind, but occasionally I'll look something up there in the hopes of finding a more authoritative link for my nieces & nephews ... After over a third of a century online, I pretty much already know where to find anything I personally am looking for.

0
1
WR
Thumb Down

Easy fix

www.google.com/chromeframe just hit my proxy block list.

17
2
Silver badge
FAIL

In Good Company

'Last month, Russell briefly touched on Google's technical workaround – which involves the use [of] Browser Helper Objects (BHOs) – but he provided little detail.

"A very small portion of Chrome Frame lives inside the process space of IE," he said. "This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space." Google can do so even if the user doesn't have admin privileges.'

This is also how many of the malware exploits (esp. spyware) for IE work. Surely code that circumvents the security measures of a piece of software would be reported by the discoverer to the developer, and the developer would patch the hole? Or is the BHO mechanism intended to allow users to run anything regardless of administrative policy?

I'll leave it up to you to decide if this reflects badly on Microsoft or Google or both.

12
0

This post has been deleted by its author

In fact a good lawyer may argue

that google are gaining access to systems that they are not authorised to access putting them in breach of the Computer Misuse Act here in the UK.

That puppy can carry a prison term.

4
1
Gold badge
FAIL

Please queue up in an orderly line..

.. to defend what Google is doing here, because I'm interested in which twists ye will turneth to sweet talk this one.

The who reason IT puts control into a network is to assure a safe and secure working environment, which unfortunately gets in the way of the Great Google Global Data Collection (tm) , that's G3DC for those that like acronyms. So the security of a corporate network obviously had to go.

Just when you thought that Microsoft couldn't possibly stop sinking, there is hope at last (not sure I'm happy with that, but that's a separate discussion) - Bing sure is going to get more attention now..

.. or even Baidu..

Idiots.

4
0
Devil

G3DC?

Dirty deeds, done dirt cheap.

2
0
Anonymous Coward

Google software is designed to spread like a virus

This kind of thing is why I ban the execution of all EXEs outside of C:\Program Files. Works wonders.

0
4
Bronze badge
Facepalm

Have you not noticed....

C:\Users\randomusername\AppData\Local?

Apps and various update .exe's like to live/run from there too.

1
0
Bronze badge
Thumb Up

Good Thing!

This is a good thing. Microsoft, in their infinite wisdom, have held the web back for too many years by delivering a crappy browser that makes webdevelopment a huge pain.

Unfortunately, it was never really possible to completely drop support for IE, because too many people (mainly office personnel) are forced to use it. With the option to install GCF without admin rights, there can finally be a shift. If this happens, it could hugely improve the speed at which new technologies can be used in webdevelopment.

1
11
FAIL

Irresponsible Google and crappy MS

Google are being incredibly irresponsible in doing this - releasing a piece of software that deliberately circumvents a policy that has been put in place (for whatever reason) is no better than what the virus and trojan writers do. And then to say "...but if you use this OTHER piece of software that we have also written, you can stop it" is tantamount to blackmail. WHY would any admin WANT to install some Google tool to stop some other Google tool from being installed? I mean, yea, I would trust it - why not????

On another angle, MS are to also to blame for allowing this to happen. It should be possible to lock-down IE so that add-ons like this can not be installed. But then IE and Windows in general is and always has been a Swiss-cheese when it comes to security, so nobody should be surprised.

7
0
Anonymous Coward

May we be thankful...

This is about as ethical as the tricks redmond used to ensure ie6 got entrenched everywhere and kill netscape out of spite. Doesn't mean it's justified or even excusable. But I'll not lose sleep over it either. That platform just isn't very ethical nor very secure. Use at your own risk.

3
1
Silver badge

Maybe not just a question of ethics.

Someone has posted a question about the Computer Misuse Act for your side of the pond. I'm thinking DCMA on mine.

0
0

Happily

dl.google.com -- where the installer comes from -- is categorised as "Software Download" in our webfilter services, and appsense won't let the users run it anyway.

*complacently strokes persian cat*

2
0

Mirrors?

Mirrors?

0
0
Stop

Not with IE6

I just tried this on a Windows XP virtual machine with a standard restricted account. I tried to run the installer and it said I needed administrator rights to install it. Interestingly when I tried this on internet explorer 8 it worked. Wow Internet Explroer 6 led to better security. The world has gone mad.

4
0
Joke

Might I respectfully suggest

... that Browser Helper Objects (BHO's) should be henceforth known in the literature as BooHoo's?

0
0
Silver badge

Just like Chrome!

"Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines."

Just like their main Chrome browser has been doing since it was released. Turn off install privileges for your user, and Chrome just installs itself in their user directory. I figured out the best way to stop it was to create the Chrome install folder on the machines in advance, then revoke any and all write permissions to it. Boom! No Chrome.

I don't know why they think this kind of thing is acceptable. Trying to up your market share at the cost of security on the few machines I have still running Windows == your product gets banned from the network.

4
1
Stop

too bad you can not possibly stop IE

Too bad you can not possibly stop IE from being installed.

Funny how IT complains about not being in control when Microsoft demands they install IE and PREVENT its removal. No matter what trick you think you know.

IT is not in control of any of their machines. Microsoft is.

4
4
Black Helicopters

That ship has sailed

Dude, give it a rest about IE being embedded into Windows. You can hide it if you don't like the ugly icon on the desktop. Or if you REALLY don't like it, use one of the alternate OSes out there.

Of course, suggest in an enterprise they get rid of Windows, and you'll soon find out who controls IT (hint: not the IT people).

0
0

Title

But surely that's how things should be done, isn't it? By installing something without needing admin rights, doesn't that mean it will only be able to run with user-level privilege? And isn't that exactly what people have moaned about Microsoft for, creating an environment in which normal apps run with admin privilege by default?

I struggle to see what the risk is here, and I don't mean vague "it's a plug-in therefore it is risky" type statements.

4
1

Page:

This topic is closed for new posts.