[progers7]

SVG's SMIL bites again (the bug used to write the exploit). This ancient animation system is incredibly hard to implement without security bugs due how GC interacts with the SVG SMIL DOM apis (animVal, baseVal, etc). SMIL is one of the reasons Chromium implemented C++ garbage collection.

With finite engineering resources, there's always a tradeoff between maintaining backwards compatibility and making forward progress. I think SMIL would be something better left behind.

[romed]

Do you imagine that Apple has finite engineering resources? The last I heard was it is the richest company on earth. They’re just satisfied with the status quo in which Google does all of their security work and nobody cares because of decades-old misperceptions about Mac vs Windows malware safety.

[evilduck]

Money alone doesn't create more qualified engineering applicants. They may be able to use money to poach those resources but the candidate pool for this sort of work is extremely finite.