back to article Google bypasses admin controls with latest Chrome IE

Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines. The new version runs a "helper process" when IE starts up that can then load the Chrome …


This topic is closed for new posts.
  1. Rich 3

    A better way

    Would be for corporate IT admins to concentrate on delivering central services through a web interface and leave users and departments to sort out their own desktops.

    1. Anonymous Coward

      Obviously you aren't a BOFH

      Let me tell you how this works. Users whine and whine until someone higher up caves and insists they get given admin rights and manage their own desktops. Naturally after a (very) short period of time said desktops become riddled with viruses and malware (I've known users to uninstall anti-virus because 'it kept telling them they had a virus'. No, really.). Then they whine and whine and whine that they can't do any work because 'the computers are crap' and demand 'new' computers. (DON'T ask me the logic behind this - they just do). This goes one of two ways. If money is available, someone higher up might approve purchase of 'new' computers, which of course are 'better' as they are clean installed when they arrive. If money is not available, after lots of meetings IT get given the go-ahead to re-install the machines (at a huge waste of time). IT remove admin rights from desktops as a point of good practice, after which users begin whining again that they 'can't do anything' on their computers (where 'do anything' means uninstall anti-virus, install Bonzai Buddy, etc etc etc.) Eventually someone will cave above, etc. - repeat.

      This will typically repeat until the day the whole organisation goes down with a worm, after which IT suddenly get the ear of the higher-higher ups which usually actually listen when real money is involved, and eventually users are just told to get on with it without admin rights.

      Next of course we will have this whole whinge-a-round with virtual desktops, but ensuring certain directors share a blade with certain CPU stealing infected desktops should put a pragmatic end to any complaints.

      1. Anonymous Coward
        Thumb Down

        Oh give me a break....

        I've been a local admin on my machine(s) for about the last 7 years.

        I never bothered a helpdesk, never had any virus issues and everything is going swimmingly.

        However, my 3yo dell is literally crawling. One would think it's due to the immense amount of crap I've installed. Well, it's you guys. You and your silly little bits and pieces that hog my otherwise pretty capable laptop.

        - Daily inventory of what the computer has in it

        - More software auditing

        - Synchronising everything at arbitrary times

        - A/V running at pre-configured times without regard for a user's schedule (that's why I became a local admin in hte first place)

        - Connecting to a multitude of shared drives

        - Logs, logs and more logs and then synchronising of those logs

        - Allowing all sorts of unecessary services to be running for no one's benefit (I soon put an end to that)

        As soon as the lappy is out of the corp network and decides that all the above won't happen, it literally flies!

        Now, who's hogging shit?

        As for "more money for kit" well, gratz to our geniuses for intalling the entire range of MS's bullcrap on a measly 2GB of RAM. For the record, I went out and payed myself of a couple of sticks which I duly replaced.

        Not to mention that our hardware goes ourdoors in the field and yet it's me who pays for the stupid air and spends half a day every fortnight cleaning the thing. Oh bummer, I should just let it clog up and then whine for a replacement, shouldn't I?

        P.S. Not every local admin is a complete idiot

        P.S. 2: Educate your users. The amount of time/money I've saved our helpdesk by resolving my colleagues' problems would make for a nice xmas bonus by now!

        P.S. 3: A_C for obvious reasons

        1. Captain Underpants
          Thumb Down

          @AC 10:13

          Oh noes, they made you has audit software! THE BASTARDS! How dare they try to, eg, ensure they're not made liable for someone installing the Totally Legit PirateBay Edition Adobe Suite!

          You may not be a numpty, but there are a fuck of a lot of numpties out there and when you're dealing with hundreds, thousands or tens of thousands of machines the sane operating principle remains "deny all except".

          Educating users is a great idea, assuming the users actually understand. The reason a lot of sysadmins still have jobs is that for a fuck of a lot of users, computers are still magic boxes that bring the Internet home and let them play games.

          I'm somewhat surprised that you've not been able to make a case to your local IS team for how to practically improve the user experience by making some simple changes to login scripts, based on your complaints. Assuming you've actually bothered to engage them instead of just assuming they're dicks for not letting you have what you want straight away...

        2. Intractable Potsherd


          Yes, I share your pain, being a reasonably capable "local admin" myself, with responsibility for several machines. Having to work with work-supplied machines that are less than optimal according to my preferences is always horrible (being forced to use IE, for instance). However, I accept that I (and you) are in the minority, and would definitely not advocate allowing most people to have a significant amount of rights over their machines! The existence and spread of malware is entirely because of fuckwits who install whatever crap takes their fancy, and then spread it around through their equally unsanitary computer activity (plugging in their virus-ridden MP3 player to download music so they can get around their download cap at home, for instance).

          If you don't think this happens, then you are extremely naive. Education only goes so far before you need to start removing degrees of freedom from the user.

        3. Atonnis


          It may be true that not every local admin is a complete idiot.

          However, it may possibly be true that your corporate admin is an idiot.

          Rather than blaming IT for having to jump through the hoops to cover their ars*s when the rules come down from on-high about monitoring and compliance rules, perhaps you should consider that whoever you (or your seniors) hired to keep track of things is either incompetent or forced to follow the same degree of stupid rules that you have to. The only problem is that the admin has to enforce those stupid rules.

          Also, for pedantry's sake, I'm willing to bet that your laptop does not 'literally fly'.

        4. nematoad Silver badge


          Presumably you are not an IT person as such, rather a "gifted amateur".

          Two things immediately spring to mind:

          1) Who carries the can when things you have done to your laptop cause it to go belly up? Don't tell me your IT department repairs things for free.

          2) I presume that in order to be in post and be issued with a laptop by your employers, you are expected to do some work from time to time. If you are not working for the IT department why are you wasting your employer's money doing stuff for which they are not employing you?

          1. Turtle_Fan

            Valid questions...

            Yes, I'm just an amateur, but with a healthy appettite for new knowledge.

            Q1: When I'm willing to pay myself for a RAM upgrade how likely is it I'd ask my IT dept to foot the bill?

            I was involved in the purchasing deal and all H/W comes with on-site repair warranty for 3 years and they're then replaced as soon as that expires. Colleagues who don't clean/look after their kit,have it bricked much earlier than the 3 years and the IT guys hold a bank of spares for these eventualities. I actually make mine last way longer than others with similar jobs as I tend to clean it thoroughly and regularly (as we're allowed to buy them for a token price at replacement time, so this little dell is in essence, my mum's next lappie).

            Q2: I'm glad it's you asking this and not my boss, nuff said :)

            Re S/W audits: I don't object to the principle, I object to the frequency. And I think a much better way would be to skin alive and in public the first person found in breach. That would focus peoples' minds way better than any audits. Or better, any non-compliant S/W found must be bought with funds coming from the idiot's takings (Acrobat anyone?). Responsibility works both ways and despite everyones' downvotes, I prefer people were made to be responsible and live (or die) by that freedom. You're not my legal guardian so you should neither answer for my failings or prohibit me from doing (and paying for) them.

            1. Captain Underpants

              @Turtle Fan

              The problem with the "skin the first offender alive and make an example of 'em" approach is that, if you can't prove you have existing policies in place that try to stop them doing what they're doing, you run the very real risk of a harrassment/unfair dismissal charge, and if your company's already not doing IT properly, how likely do you think they are to want to run the risk of that sort of legal grief?

              Whether or not you rate your IT, the principle of locking down machines and removing local admin is underscoring the machine's state as a work tool, rather than a toy that you get to do with as you please. It doesn't help when some big corporates handle it badly, but having seen how often admin rights + laptop + work-paid-for home broadband leads to "I don't know how that virus, or all those pornographic downloads, or those various pieces of pirated software with my name as the registered user, got onto this computer, honest guv", I maintain that in terms of minimising downtime for users and unnecessary work for the support team, limiting administrative access is the way to go. The problems you describe are failures in your IT team's operational model, not reasons for you to be admin. You being an admin fixes the symptom, not the problem.

        5. Ian Michael Gumby


          Look, I'll break it down to you.

          On the one hand, sysadmins are lazy. And that's actually a good thing because instead of doing something manually each time, they'll stop and make the time to write a script so that it takes one command and 5 minutes to fix something, but tell their pointy haired managers it will take an hour. or a couple of hours. (A good admin always exaggerates the amount of time something will take so that they still look like heroes and in the event something goes wrong with the fix, they don't have to take time to explain in detail what they are actually doing....) Lazy system admins also don't like to be disturbed by silly gits making unreasonable requests like supporting non-approved hardware, knowing that once they help you, they can never refuse to support it....

          On the other hand. There are your typical users, smart users, and super users who used to be admins in their past life and know the drill.

          The typical user actually does the things the anonymous BOFH talks about. They are that stupid.

          You would be considered a 'smart user' but still too dumb to realize all of the ways your PC can be infected by 'drive-by' incidents. Meaning you're not paranoid enough to be given control.

          Then there are the super user class. These are the guys who work in IT, build their own PCs, maintain their friends and family pc's, have a small network of Unix/Linux boxes in their basement. Now these are the people who respect and understand why the IT guys lock down the PCs and know enough not to complain. They also know enough to get a dozen of the really good doughnuts (not the stuff from Dunkin Doughnuts where they give you their day old stuff and pretend that its 'fresh'.).and present it to the IT dept head as he asks for a special favor.

          (Beer works too but only if you know the staff is going out for drinks and where they go for drinks because they normally want to avoid silly gits who pester them for administrator access on their PCs.)

          So yeah. you may bitch, but the fact that you bitch means that you don't know what you don't know and that makes you dangerous.

          Yeah I know its a catch-22, and that's the point.

          Mine's the jacket with the old worn BOFH shoulder patch as I head out the door after getting a text telling me where the system admins are going for their drinks because they know I'll be buying them a round or two. :-)

          1. Turtle_Fan

            for the record

            just for the record I built my first PC in the late 90's after uni and have been building them myself since. I too have a small network of boxes but they're mostly NAS's and supporting my wireless cameras round the house etc. All of which are connected in a vpn with my holiday home's 2 boxes.

            And as for support, I've ended up building and maintaining about 7 more boxes of the entire extended family.

            Yet, the only fully locked down box/account is my 9 year old nephew's. Everyone else has admin credentials to elevate their accounts if need be.

            I'm more willing to accept Captain Underpants' version of symptoms/ailments. When any senior in our top 3 tiers of management can plug in a USB stick and go away with the "family silver" (and the leavers/dismissed ones regularly do), then fretting over installing ABP in FF and the like is just pants.

    2. Anonymous Coward


      So you can install the latest 'awsum serch bar' that comes attached to that innocent looking screen saver? So you can plug in your own usb stick complete with whatever infections your home computer currently has?

      It is not your computer, don't expect to treat it as such. You might think its not a big deal if your desktop gets a virus when everything is accessed through a browser (Cos I.T. will fix it - right), but they have a nasty habit of replicating. What if something hijacks your email and sends itself to everyone in the company? What if that virus somehow managed to get as far as the servers? Our job is to ensure as much uptime as is possible to help you be productive. Allowing end users to do what they like is not the way to go about that, damn right we lock you down as much as we can.

      AC - cos working!

    3. Danny 14
      Thumb Up

      of course!

      Im sure that would work really well in a school environment!

      Actually i'll just add the google frame to the "insta quarantine" in the AV control panel. Thats a quicker way of sorting it out.

    4. big_D Silver badge

      As Walt Mosspuppet would say...


    5. Anonymous Coward

      Nobody told you?

      That the great Explorer domination-by-web-interface plan was the root of so many security problems, then? I think you must be posting from about 1997?

    6. Cowardly Animosity



  2. AndrewG

    Best Reason ever.... ban Google or anything connected with Google from an Enterprise network.

    I wonder how their revenue stream will fare while their busy forcing people onto Bing?

    As usual, they miss the point..If Enterprises are still using XP/IE8- thats probably becasue they've got so many internal web apps they can't test them all, which is an environment that would make them very leary about a browser functionality install that can bypass policy settings.

    1. Field Marshal Von Krakenfart

      XP & IE6

      The last place I worked had 120,000 employees worldwide, and 100,000 PCs and laptops worldwide. Seem like a perfectly valid reason not to upgrade.

      Want email and access to the web???, make the business case otherwise make do with internal mail and the intranet, and depend on your 'friends' to email you the latest porn/mp3/virus/worm

    2. slightlyoff

      Helping enterprises move bit-by-by is the whole point

      Hi AndrewG,

      I'm an engineer on the Chrome Frame team.

      One of the major features -- some say, the entire point -- of Chrome Frame is to help the organizations you're talking about migrate to a less legacy-dependent world without changing everything all at once. Chrome Frame only renders the pages that opt-in, meaning those legacy IE6-only systems keep working.

      As the article calls out (waaaaay at the bottom), Chrome Frame also provides full administrator controls, group policy templates, and MSI's for controlled deployment. Don't want it on your network? Just push a template and no version will install, not even per-user. Want it everywhere, centrally managed, and updating on your timeframe? Push the policy and the MSI as you see fit.

      GCF doesn't bypass policy settings, it enables them in ways that allow organizations to move bit-by-bit, removing the economic hurdles to adopting better browsers one app at a time, not as a single, risky leap.


      1. Anonymous Coward

        And out of the shadows...

        Its too funny.

        Sorry but anything in a corporate environment that bypasses IT's control is a bad thing.

        Oh wait, this feature was from the same company that is trying to patent the process of sneaking on and stealing information from personal wi-fi networks where the end user didn't set up at a minimum WEP encryption. (Yeah I know WPA2 but WEP is still out there.) And didn't they say it was all mistake when the captured all of the data they illegally sniffed?

        Sure we don't bypass admin controls if you do the following *after* the fact...

      2. jake Silver badge

        Out of curiosity, slightlyoff ...

        What flavo(u)r was the goolaid?

      3. Trixr

        Nice exercise in logical contortions there

        No, actually, administrators expect that if people do not have Local Admin rights on their machines, they should not be able to install anything that allows them to circumvent the IE security settings and configuration that is generally put there for a specific reason.

        So now you're telling us that after circumventing Windows's default protection in that area, WE now have to install some frigging GPO to undo the chaos you're causing?

        Thanks so much for that.

  3. jake Silver badge

    Easy fix.

    Don't use microsoft or google products. It's been working for me for coming up on a year and a half now, with absolutely zero negative impact on my "internet and computing experience", whatever that is.

    1. Lord Elpuss Silver badge

      Easy fix?

      So what do you use for search then - Yahoo!? Or Baidu?

      One way or the other, if you want to get the best from the Web you need to be able to search. And to get the right answers, you need a good search tool. And by definition, the bigger search engines are better at finding general stuff (because they use user-optimised search algorithms; the more users, the better the results).

      And the bigger the search engine, the more power it has and thus the more power to do evil(TM). This is valid for all big search companies.

      Of course you might live in a world where a specialist search tool like Wolfram Alpha works for you - but for the average Joe, simply avoiding Big Search is not an option.

      1. Chris Miller

        Yahoo or Baidu

        I think you'll find that Jake (motto: why would I ever need more than 80x24 characters?) uses Gopher.

        1. jake Silver badge

          Gopher? Nah. Only me Great Aunt still uses Gopher ...

          ... She's been using it to publish the 95+ years of her life's story these last 17 years. It works for her, so who am I to suggest she get a trifle more modern? (True, I maintain the server-space ...).

          I can't remember the last time I used a search engine, outside of Wikipedia[1].

          And no, I don't just use 80X24 ... Sometimes I need to crop pictures ;-)

          [1] I don't trust Wiki, mind, but occasionally I'll look something up there in the hopes of finding a more authoritative link for my nieces & nephews ... After over a third of a century online, I pretty much already know where to find anything I personally am looking for.

    2. Charles 9

      Cutsom apps = Not so easy fix.

      Many older custom web-based apps are tailored for older IEs and break in newer browsers. Chances are no one knows the internal workings of the thing and building a new version will take time and money, neither of which may be available in the budgets for a significant length of time. It's not in the home sector but in the business sector that you find the problem of "unpatchable" PCs: PCs past the support EOL but impossible to update because doing so would break the key applicaitons used in day-to-day operation.

      1. Dave Bell

        How sad...

        These problems were predictable. There is a large flock of IT chickens coming home to roost.

        The downside of this is that we don't know what Google Frame might do--new bugs and new loopholes--but the upside is that it gives users access to today's external webspace.

        The big idiocy is that Google are bypassing limits set by the owners of the computer. The user doesn't have authority to give Google permission to install this software. Running software on a computer without permission--that sounds like a criminal act, under the Computer Misuse Act.

        But I'm no lawyer.

    3. Danny 14

      good idea!

      Apart from central control of proxies is quite poor in firefox/opera. Oh and GPOs dont work in firefox or opera either.

      NTLM has its uses for SSO, GPOs take good care of making sure the little monkies arent tinkering too much. This sort of behaviour is virus like IMHO and has been treated as such.

      1. EyeCU

        You can get firefox to work with GPOs

        Have a look for frontmotion community edition. It comes packaged as an msi with mozilla.adm to control the per computer config and firefox.adm to control the per user config. We deployed it recently and it works very well.

        Still, it's the kind of thing Mozilla should have done themselves if they are serious about making it onto the enterprise desktop.

  4. WR
    Thumb Down

    Easy fix just hit my proxy block list.

  5. Steven Knox

    In Good Company

    'Last month, Russell briefly touched on Google's technical workaround – which involves the use [of] Browser Helper Objects (BHOs) – but he provided little detail.

    "A very small portion of Chrome Frame lives inside the process space of IE," he said. "This is how BHOs – which are these little processes that IE decides to launch at startup time – work. We need some way to get Chrome Frame loaded. We figured out a way to do that. So once that's done, everything else can work as normal. We just have to be inside the process space." Google can do so even if the user doesn't have admin privileges.'

    This is also how many of the malware exploits (esp. spyware) for IE work. Surely code that circumvents the security measures of a piece of software would be reported by the discoverer to the developer, and the developer would patch the hole? Or is the BHO mechanism intended to allow users to run anything regardless of administrative policy?

    I'll leave it up to you to decide if this reflects badly on Microsoft or Google or both.

    1. This post has been deleted by its author

    2. bobbles31

      In fact a good lawyer may argue

      that google are gaining access to systems that they are not authorised to access putting them in breach of the Computer Misuse Act here in the UK.

      That puppy can carry a prison term.

  6. Fred Flintstone Gold badge

    Please queue up in an orderly line..

    .. to defend what Google is doing here, because I'm interested in which twists ye will turneth to sweet talk this one.

    The who reason IT puts control into a network is to assure a safe and secure working environment, which unfortunately gets in the way of the Great Google Global Data Collection (tm) , that's G3DC for those that like acronyms. So the security of a corporate network obviously had to go.

    Just when you thought that Microsoft couldn't possibly stop sinking, there is hope at last (not sure I'm happy with that, but that's a separate discussion) - Bing sure is going to get more attention now..

    .. or even Baidu..


    1. The Beer Monster


      Dirty deeds, done dirt cheap.

  7. Anonymous Coward
    Anonymous Coward

    Google software is designed to spread like a virus

    This kind of thing is why I ban the execution of all EXEs outside of C:\Program Files. Works wonders.

    1. Getter lvl70 Druid

      Have you not noticed....


      Apps and various update .exe's like to live/run from there too.

  8. Anonymous Coward
    Thumb Up

    Good Thing!

    This is a good thing. Microsoft, in their infinite wisdom, have held the web back for too many years by delivering a crappy browser that makes webdevelopment a huge pain.

    Unfortunately, it was never really possible to completely drop support for IE, because too many people (mainly office personnel) are forced to use it. With the option to install GCF without admin rights, there can finally be a shift. If this happens, it could hugely improve the speed at which new technologies can be used in webdevelopment.

  9. Anonymous Coward
    Anonymous Coward

    May we be thankful...

    This is about as ethical as the tricks redmond used to ensure ie6 got entrenched everywhere and kill netscape out of spite. Doesn't mean it's justified or even excusable. But I'll not lose sleep over it either. That platform just isn't very ethical nor very secure. Use at your own risk.

    1. Tom 13

      Maybe not just a question of ethics.

      Someone has posted a question about the Computer Misuse Act for your side of the pond. I'm thinking DCMA on mine.

  10. Anonymous Coward

    Irresponsible Google and crappy MS

    Google are being incredibly irresponsible in doing this - releasing a piece of software that deliberately circumvents a policy that has been put in place (for whatever reason) is no better than what the virus and trojan writers do. And then to say "...but if you use this OTHER piece of software that we have also written, you can stop it" is tantamount to blackmail. WHY would any admin WANT to install some Google tool to stop some other Google tool from being installed? I mean, yea, I would trust it - why not????

    On another angle, MS are to also to blame for allowing this to happen. It should be possible to lock-down IE so that add-ons like this can not be installed. But then IE and Windows in general is and always has been a Swiss-cheese when it comes to security, so nobody should be surprised.

  11. umacf24

    Happily -- where the installer comes from -- is categorised as "Software Download" in our webfilter services, and appsense won't let the users run it anyway.

    *complacently strokes persian cat*

    1. CD001



  12. Anonymous Coward

    Might I respectfully suggest

    ... that Browser Helper Objects (BHO's) should be henceforth known in the literature as BooHoo's?

  13. Sharpy86

    Not with IE6

    I just tried this on a Windows XP virtual machine with a standard restricted account. I tried to run the installer and it said I needed administrator rights to install it. Interestingly when I tried this on internet explorer 8 it worked. Wow Internet Explroer 6 led to better security. The world has gone mad.

  14. Greg J Preece

    Just like Chrome!

    "Google has released a new version of Chrome Frame – the Internet Explorer plug-in that turns Microsoft's browser into a Google browser – letting users install the plug-in even when they don't have administrator privileges on their machines."

    Just like their main Chrome browser has been doing since it was released. Turn off install privileges for your user, and Chrome just installs itself in their user directory. I figured out the best way to stop it was to create the Chrome install folder on the machines in advance, then revoke any and all write permissions to it. Boom! No Chrome.

    I don't know why they think this kind of thing is acceptable. Trying to up your market share at the cost of security on the few machines I have still running Windows == your product gets banned from the network.

    1. Lewis Mettler

      too bad you can not possibly stop IE

      Too bad you can not possibly stop IE from being installed.

      Funny how IT complains about not being in control when Microsoft demands they install IE and PREVENT its removal. No matter what trick you think you know.

      IT is not in control of any of their machines. Microsoft is.

      1. Trixr
        Black Helicopters

        That ship has sailed

        Dude, give it a rest about IE being embedded into Windows. You can hide it if you don't like the ugly icon on the desktop. Or if you REALLY don't like it, use one of the alternate OSes out there.

        Of course, suggest in an enterprise they get rid of Windows, and you'll soon find out who controls IT (hint: not the IT people).

  15. Select * From Handle


    "Google is well aware of this. But the company says that if admins don't like it, they can use separate admin Google tools to stop it from happening."

    The only time users wont have admin privs is when they are in a locked down work environment where some of the functionality of the company maybe run through internet explorer. so why would google go out of their way to put chrome into I.E? i my self love chrome but i would not put it into internet explorer! its slow enuff without having weird add-on thrown in the mix.

    WTF separate admin tool? will i have to have it constantly running and why should i have to run the tool at all? thats like me going into ASDA and super glueing a massive poster for Tesco's up on the wall and saying, im fully aware of what i have dun but you can go get some white spirits and take it down.

    Google just lost a point in my books..

  16. Paul M 1


    But surely that's how things should be done, isn't it? By installing something without needing admin rights, doesn't that mean it will only be able to run with user-level privilege? And isn't that exactly what people have moaned about Microsoft for, creating an environment in which normal apps run with admin privilege by default?

    I struggle to see what the risk is here, and I don't mean vague "it's a plug-in therefore it is risky" type statements.

    1. Captain Underpants

      It's the WebGL capacity

      Well, the first issue I've got with it is that Google Chrome Frame is WebGL enabled. Bad enough that to disable webgl in Chrome proper you have to change the launch target and add a command line switch (because Christ forbid it be something you can configure in a conf file somewhere, or in the normal settings interface). But if IE doesn't do WebGL because Microsoft think it's a bad idea for security reasons and then Google release a way that users without admin rights can have a webGL capable browser *anyway*....well, that's pretty bad.

      Of course, I'm one of the people who thinks that letting webservers send content directly to my graphics card is very obviously a really shit idea. Someone who eg develops content to exploit this function and therefore sees this as a way to get a greater target audience might differ.

  17. Craig 28

    Nice response

    "If you don't want users using our piece-of-crap Chrome Frame just stop it using our piece-of-crap admin tools."

    Or to compare it to something less techy...

    "We make an automatic lock pick that can break into any car. If you don't want your car broken into just use the new anti-pick lock we also make."

    Google should not be providing both the problem and the solution in two seperate packages. Of course if as someone mentioned earlier it's as easy as blocking, assuming Google doesn't come up with a way around that like having multiple ChromeFrame URLs it can choose from, then that's a good solution. Google still should respect policies enacted on the system though.

    If software starts installing ChromeFrame like it does the Google Toolbar I'll be really mad.

    1. Anonymous Coward
      Anonymous Coward

      Easy BOFH response

      "You were found with Google Frame installed despite our security documents specifically banning it. We've configured the proxy to deny all access to the external world"

      Getting management to sign off on it might be a battle tho

  18. Anonymous Coward

    The arrogance of Google something else! I wonder how long it is until someone gets fired for running this plug in? I can think of a couple of places I have worked that would terminate anyone using this, due to the potential for security issues.

    Heres a clue Google.. companies lock down systems to prevent the ill informed toying with it. Circumventing that in any way is just ummm oh yes... "evil". To then justify it by sayng "Just install out admin tools" is a further step across the line of towering arrogance. Heres a clue.. we DON'T want your plug in... and DON'T see why we should install your admin crud to prevent you subverting the permissions built into our O/S with your malware.

    Many places DONT want anything Goggle on their machines.. get the message... you are NOT the be all of everything.

    Time for a further tightening of the security screws here I think... with credit given to Google.

    1. Lewis Mettler

      you bought IE

      You purchased IE without any decision on your part.

      Yes, it may be a bit arrogant of Google. But, Microsoft forced you to purchase IE illegally. Commingled the code illegally. And prevents you from ever removing it.

      If you think you are in control of your own machine, you are an idiot.

      1. Anonymous Coward
        Anonymous Coward

        They didn't at all, Lewis.

        "But, Microsoft forced you to purchase Internet Explorer illegally." How so? Would the value of Windows decrease if Internet Explorer was removed? (Answer: No. Both the N and K editions of Windows ship for the same price as 'regular' Windows.) Internet Explorer, by the way, is on a very basic level a front end to Trident; Microsoft's HTML renderer, which is used and required by other areas of the OS and other software, much like WebKit is used in Mac OS and KHTML was (is?) used in KDE. Contrary to your trite assertions, Microsoft do not hold a gun to your head and demand that you use Internet Explorer or buy it. Ever. You can, certainly in Windows 7, remove the front end to Internet Explorer if you wish, but the rendering engine (amongst other components) remains available to and as part of the OS and software that runs on it. This isn't illegal. So, pretty please, with a cherry, change the fuckin' record.

      2. Not That Andrew

        @Lewis Mettler

        Rubbish. Anyone who has purchased Windows since Win 95 OSR2 KNOWS that IE is part of the package.

        1. Anonymous Coward
          Anonymous Coward


          I my memory serves me correctly, you can block access to IE with a GPO.

  19. George 24


    Is over stepping again. There are many valid reasons why corporate pcs are locked and if google wants to gain ground in the corporate environment, it should look at ways to better fit in, not ways to bypass controls. The site is now on my black list.

  20. XMAN
    Thumb Down

    F Google

    You can tell they're an American company. They do whatever they want, even when they know its wrong or illegal and then just wait for the small fine/slap on the wrist.

    The penalties given to Google are nothing compared to their earnings so they openly ignore rules and laws.

    And now they're trying to set a new standard. Just like before. Oh no, we're not breaking copyright laws because we're giving you a way to block us (robots.txt). And now, oh but you can stop us by doing xyz.

    How about I start robbing peoples homes and then my excuse can be - "But if you put a sign by your doorbell that says 'thieves/404', I wont rob you'. Works for Google, should work for me, right?

  21. Anonymous Coward
    Thumb Up

    I like it.

    This will allow me to stop supporting IE on our web development platform.

    Our users can then get a proper browser (anything but IE) without having to go through IT.

    I understand why locking down the OS is a good thing for the IT dept, but why oh why, do they have to use IE?

    1. Atonnis


      It's nice to see a refreshing viewpoint. 'Anything but IE' is a 'proper' browser, is it?

      Can we have a justification for that? Many of us think IE9 is a 'proper browser'.

      But then, you're probably the sort of person who thinks that Chrome OS is a 'proper OS'.

    2. CD001

      History lesson...

      Here's a little history lesson; a long time ago, on a PC far, far away (ok roughly around the turn of the millennium on PCs everywhere), two companies, one known as Microsoft and another Netscape were building web browsers (so were Opera, but they were charging for it so nobody used it, amongst others).

      MS owned the OS space with Windows, munged IE into Windows and killed off the competition, giving themselves a 95% market share in the browser space - irrespective that this was an illegal, anti-competitive practice, that's what happened.

      Once they'd got the browser market wrapped up, Microsoft were effectively the defacto owners of the standards - so many, many monkeys in web-code land coded to the MS "standard" - and MS saw that it was good and decided to stop there; IE6 would be the LAST web browser ever, the HTML/CSS/JS standard was set in stone forever.

      Now those many, many web monkeys made many, many websites and intranet applications all in-line with the MS standard... then from the ashes of Netscape arose Firefox. Firefox (and virtually every other browser) supported the W3C standard NOT the MS "standard" so as Firefox gained traction, by default, the percentage of people browsing the web using the W3C standard increased - the glaring errors in IE6 (such as the box model) became more apparent in poorly written websites that adhered to the MS way of doing things.

      Until today - where the IE6 legacy plagues the business space - old, shonky intranet applications that are no longer supported or developed but still widely used sit on the network, applications that will only work in Internet Explorer (as they were coded for "the last ever web browser", IE6) - so the IT department HAS to mandate the use of IE6 for those applications - just because some lazy arsed web monkeys couldn't be bothered to code to something resembling the (admittedly somewhat irrelevant at the time) W3C standards and implement kludges for IE6.

      If they'd done it right in the first place - we'd not have this issue now. It has ALWAYS been possible to code cross-browser/cross-platform, although with a lot of parallel JavaScript code... and had they done that the applications would work in browsers today, even the (much improved) latest version of Internet Explorer, IE9. I know, I've got stuff running where the UI code hasn't been touched in best part of a decade - though I may update it to make use of some of the CSS3 features at some point.

      1. Getter lvl70 Druid


        I paid $19.95 for Netscape 2.0 in 1995. Microsoft Internet Explorer 1.0 was a total POS installed on Windows 95 and Netscape was worth every penny. Hehe, remember back when people used ftp? When Microsoft released Internet Explorer 3.0, I was one of the first Midnight Madness downloaders (got the t-shirt to prove it lol) because it was new and free, having something different back then was exciting because you didn't have this smorgasbord of choices.... outside of the Apple Orchard that is. When MS released Windows 98, they integrated IE - side note: Windows 98SE is to Win98 was what Windows 7 is to Vista Business+ (vista home was borderline obscene).

        It was then Netscape was forced to give their browser/email suite away to compete, driving them out of business. There is such a thing as karmic justice and old Bill has a lot to answer for. I positively loved Netscape, I still have install .exe's for several versions, and often skin my Firefox with a Netscape-like look. The Netscape shooting-star-N still makes me smile - Cookie Monster's eyes are staring me in the face right now... for the love of God I don't remember why...

        Anyway, Remain Calm and Carry On. (I want one of those posters man)... I didn't down-vote you my friend btw, just elicited memories of long ago when the Internet was innocent and you had to ftp your data rather than email to damn thing (stupid humans!!!) 4 boot floppies for loading the cd for Win NT 4.0 (remember the video card trick when you installed a new card?), 13 floppies for Win 95, like 26 for Win98 lmao....

  22. kain preacher


    "You can tell they're an American company. They do whatever they want, even when they know its wrong or illegal and then just wait for the small fine/slap on the wrist."

    Yeah cause Phorm/BT didn't happen and if it did happen the Met would done a proper investigation and people would of been tossed in Jail.

    Arrogance knows no race, creed, gender , nationality, place of origin, political affiliation or region . It just exist, right along it's cousin stupidity and I know better than you do( politicians making Nanny laws cause you are to stupid to protect your self) .

  23. big_D Silver badge

    Two minds...

    On the one hand, I say "die IE6, die!" On the other hand, Google are encouraging people to put their jobs at risk. In many companies it is a disciplinary, if not sackable, offence to install 3rd party software on a company machine...

  24. Anonymous Coward

    Thanks Google.

    This is just what I need. As if Microsoft's admin tools weren't bad enough, Google are now letting the users install stuff that we don't want them to install and we have to install more Google software in order to stop it.


    Makes me want to take Google's IP range and ban it in the firewall.

    Just who's IT systems are these anyway?

    1. Lewis Mettler

      Microsoft controls your machines.

      Microsoft forced you to purchase IE. (Did you pay for Chrome?)

      Microsoft pevents you from removing IE. (Does Google do that with Chrome?)

      Micosoft makes your IT decisions for you. (Does Google do that?)

      Sounds like the so called IT managers on here are really Microsoft employees. Hint: You are.

      1. Not That Andrew

        @ Lewis Mettler

        This is getting tiresome. Anyone who has purchased Windows since Win 95 OSR2 (possibly OSR1) KNOWS that IE is part of the package.

        Am I going to have to follow you around this site cutting and pasting this under every stupid Google fanboi comment you make?

        1. Anonymous Coward


          ...and another thing, Mettler ... not only did I not pay for Chrime .. but I don't bl**dy even WANT it, whether I pay for it nor not.

          --Even though it is free, doesn't mean it is good.--

          In fact, I think Chrome is a load of minimalistic crap, and I'm furious with Firefox that they've followed their lead.

          1. Oninoshiko


            While Mettler needs to stop and actually THINK for a moment, (I did not pay for IE on my machine, it did not come with my machine (nor did Safari, yes there really are computers out there without MS Windows or MacOS 10.x licenses)) by the same token you ARE aware that Firefox was "A load of minimalistic crap" off of Mozilla. Believe me, things would me MUCH better if it really where "minimalistic crap" then we wouldnt be arguing about how upset people are they it doesn't properly use memory greater then 2G!

      2. Anonymous Coward

        I'll tell you who...

        Our decisions are mostly made by the moronic application vendors who are such bad programmers that they cobble everything together in Micro$hite and throw it out the door before it is ready, with a load of patches to follow.

        These people who are such pathetic programmers that we are forced to load copies of Office on to servers in order for their programs to work, costing us more licences and, because every bledin' vendor uses different versions of Office libraries (blame who you like on that one) we're actualy forced to have discrete servers for every application. That costs us extra either in servers, or in having to run a virtual server farm.

        You can also blame the wankers who supply products with web interfaces that are not standards compliant and will only fucking work with IE.

        If I had my way, Micro$oft would be nowhere near our organisation.

        Get the idea that I'm hacked off when crap like this comes to the surface? Is it any surprise?

  25. Getter lvl70 Druid

    lol I wondered.....

    Had a Win7Pro machine flake out yesterday, you know, "it was fine Friday when I left" type of call. Went into safe mode and put a pre-Trendmicro version of HijackThis on it, doing my usual smart bastard 'fsck this, fsck you" removal of registry entries of the usual suspects. This thing looked like Google shiite all over it.... Rinse. Repeat, Reboot. System all better.

    Google is really starting to get on my nerves, they have surpassed Symantec with the about of absolute unneeded crap they install.

  26. GazElm

    Why not just...

    Why couldn't they have done it the other way round - provide a browser (Chrome) that runs a given list of websites (crappy old intranet sites, list provided by network admin) in something like IE tab, and everything else in Chrome.

    Those that want it can install it, those that don't, don't. And it gives people a way out of IE6 while making their old sites still work.

  27. Anonymous Coward


    I'm with the users who are forced to still use IE6 on this one. If I was Microsoft I would cease support and even start blocking it.

    1. Charles 9

      Trade Secrets

      It's simple. They don't know how. Microsoft kept the hooks for IE6 under very tight lock and key. Now, they probably don't even have copies of them anymore. So you're basically stuck with an application no one knows how to debug (because the programmers have moved on/gone out of business) and with no means to upgrade out of since no one else used the proprietary hooks...and since no one nowadays knows what those hooks were in the first place. It's like taking a smartchip card key up to a door only to discover it has a Mortise Lock.

  28. Anonymous Coward

    Fans of richeous indignation:

    This is a solution to an actual it problem. Be mortified if you want to be about their methods, or save it for the "told you so moment" when/if someone delivers an exploit into the wild. I don't care. Its a solution that I need and I'm going to use it.

    1. Richard 120
      Paris Hilton



    2. NogginTheNog


      This is Google finding a sneaky back-door way of getting their browser in to places where they couldn't previously get it. Now are they doing that for the greater good of downtrodden users, or so they can squirm their tentacles into ever more nooks and crannies..?

      The fact this circumvents corporate lock-down policies, and indeed standard IT good practices, is something I'm sure they are TOTALLY aware of. And they don't give a fuck.

  29. Atonnis

    I am SO psyched....

    I get to dust off them ol' Terms & Conditions of Employment and get me some people sacked for installing shit on their PCs - specifically in breach of said terms.

    Whoop! Whoop!

  30. Zot

    Admin wrongs

    So this makes Admin rights completely useless then? Why can't Microsoft get things right for once.

    1. CD001

      Not really

      The user is installing Chrome Frame in user-space, with user-level privileges ... which is exactly what is SUPPOSED to happen. Only if you're installing system-wide software do you need admin rights.

      Think of it like having a self-contained program which only writes to the user folder, makes no alterations to the system files or registry - effectively just an .exe file with maybe an .ini or .cfg file - any user can simply copy that to their own folder and run it - that's pretty much what a user-level install is.

      Microsoft have been providing guidelines to that effect for years (since Win 2000) - just very few people (including their own devs) followed the guidelines until they were enforced with more strength in Window Vista/7 - much as I like giving MS a kicking when it's due I don't think it's really justified in this instance.

  31. Anonymous Coward
    Anonymous Coward

    Do you fire people for

    the JavaScript code that their browser downloads and executes every day?

  32. lIsRT

    But, but, but...

    ...I thought we were *meant* to make sure that, where possible, our code never actually needs root^H^H^H^Hadmin privileges!

    Seriously though, Google's "customers" are the users - not the owners. What else do you expect?

    1. Ben Tasker


      In the strictest sense of the word, Google's "customers" are advertisers

      That's why most of Google's services don't have a support email or phone number attached, but advertisers have a 'hotline'


  33. Anonymous Coward

    security issues with Google Chrome?

    > many machines are still on Microsoft's Windows XP operating system, which means they can't be upgraded to Microsoft's latest version of Internet Explorer, IE9, the release that finally brought the browser into the modern world. IE9 won't run on Windows XP.

    There's absolutely no technical reason for this, it's just a method to force people to upgrade to Windows sevISTAen ..

    "Given the security issues with plug-ins in general and Google Chrome in particular, Google Chrome Frame running as a plug-in has doubled the attack area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

  34. Frank 2
    Black Helicopters

    This should look good

    in Google's antitrust case...

  35. Anonymous Coward
    Anonymous Coward

    My tuppence, for what it's worth...

    Personally, I'm no fan of and don't use Internet Explorer, except for testing and the odd bit of debugging in a VM, but I do think Chrome frame is unnecessary. Good web developers have learned to design and develop sites responsively and adaptively, negating the need for this technology. This new version of Chrome Frame seem to add another paper cut to the world of enterprise IT. Surely this is just a sneaky way of getting WebM and WebP onto more machines?

  36. Nunyabiznes

    Google Earth

    Google Earth installs in much the same way. No admin rights necessary.

    Big problem: Google Earth is only free for HOME use. Corporate use requires a bought and paid for license. If IT can't stop the install, how can we insure we are not going to be sued for having illegal copies of software on the computer?

    Chrome Frame isn't licensed apparently (yet) so that isn't an issue with it, but it opens the door for other apps that are licensed.

    I run SRware Iron and I like it, but Google in and of itself can go blow meat whistles.

    1. Anonymous Coward
      Anonymous Coward

      ooh!, I never knew that

      brb installing google earth

  37. Anonymous Coward


    "Seriously though, Google's "customers" are the users - not the owners."

    Google's customers are the advertisers. Any time you're given something for free, you're not the customer, you're the product.

  38. Rick Giles

    No! No! NO!

    ""Yay for clever technical hacks that help users circumvent ossified IT bureaucracy," said one commenter"...

    The policies are there for a reason people. We already have to do enough spy/ad/malware removal as it is on machines that are locked down.

    Remember Smiley Central? Those cute little e-mail add-ins? They put something in IE that actually broke a web site that was provided by an external vendor. Took forever to convince them that they didn't need to load that crapware.

    The companies policy states that termination is possible if you are using the computer against those policies. Maybe Google will give them some money if they get fired.

  39. Anonymous Coward
    Thumb Up


    "You will need administrative rights on your computer to install Google Chrome Frame"

  40. Anonymous Coward

    Totally irresponsible on Google's part

    I'm a user, not an IT techie, but I have to say:

    1. IT controls (if occasionally infuriating and productivity-draining) are there for a reason--namely to prevent your company ending up on the Reg's latest "XXXX hacked and customer records stolen" article

    2. So you can manage the unwanted plug-in with Google's own admin tool? Hey, great!! I often hear our IT people customers talking about how they would experience perfect happiness if only it required one more admin tool to manage their networks!! (/sarcasm off)

    3. So Google's way of moving up the enterprise value chain is to use its brand equity with the workaday legions to skirt corporate IT policy? Boy, I bet CIOs and CISOs are thrilled by that kind of "gumption" in a software supplier!! I'm sure the positive C-level customer comments are flowing into Mountain View as we speak!!

  41. tom 24

    *Huge* performance advantage

    oooh, 30 percent faster. I can see why people would subvert their site security policy for this huge improvement in speed. Hold me back.

  42. Oninoshiko

    Google's admin tool?

    How about this admin tool, "You violate my network usage policy, you get to look for a new job."?

    Accadently getting a virus is one thing, Intentally installing a package which is not approved is something else entirely. Now that that's sorted, I have some real work to do.

This topic is closed for new posts.

Other stories you might like