[gnyman]

When did Chrome go from the most secure browser to there is a exploit-chain giving RCE by visiting a malicious website every second month? (Last one I recall was CVE-2024-4761 and -4671)..

Or maybe it was never really secure and it was just good marketing?

[chc4]

Chrome has the most vulnerabilities because it's the largest browser by market share by a mile, and so has the greatest number of eyes on it. You also can't extrapolate "it was never really secure" from that: practically all software has bugs, especially multi-million line codebases like Chrome. Relative to the average C++ program Chrome is exceedingly secure, and likewise Chrome has been constantly on the cutting edge of introducing new security mitigations. "Is it secure" is not a binary property.

[irundebian]

It can be a binary property if you define security as a proof of absence of runtime errors which is possible to achieve today.

[saagarjha]

This isn’t really possible to achieve.

[irundebian]

It's possible. You can prove absence of runtime errors with Ada/SPARK (which is using theorem provers).

[mattnewton]

The bar for chrome was IE at the time, and it beat that.

I think it’s also partly Google’s very open culture on CVEs that means they are discovered and reported on promptly. It’s difficult to tell how much it’s just increases awareness that browsers are full of holes and whether the holes are increasing in size/frequency tbh.

[creatonez]

> The bar for chrome was IE at the time, and it beat that.

I would say there were three trends that happened at the same time that really made a difference:

- People now actually update their web browser, and yes, started to ignore the browser vendor that wasn't shipping them (IE). Driveby download exploits started to disappear.

- Flash and Java went from enabled by default to prompt-first. Flash was later abandoned, and IcedTea-Web / Java Web Start had its core functionality gutted in later Java versions.

- No support for ActiveX at all, unless you wanted to go for IE Frame (Chrome and IE tabs under a Chrome interface) or Chrome Frame (IE and Chrome tabs under an IE interface), which quickly faded into corporate Intranet obscurity

All three saved us from a much worse future.

[helloooooooo]

It is the most secure browser. The lifetime of these kinds of bugs is generally a few weeks to perhaps 2 months. With a high churn codebase, these things just happen. There is a lot of ongoing work to mitigate the impact of renderer bugs, such as the V8 heap sandbox.

[troupo]

As others said, they are quite open about vulnerabilities and CVEs.

However, Chrome is an operating system unto itself. It's more than 40 million lines of code comprising of complex intertwined systems. It's a miracle there are so few CVEs

[soiax]

It's all renderer only RCE-s, no sandbox escape. So it doesn't work on your browser, only if you disable the sandbox.

[js2]

> I then leverage this to achieve arbitrary memory read and write outside of the v8 heap sandbox, and in turn arbitrary code execution in the Chrome renderer process.

So the code is running in a process that runs as the same user running the browser. That's no longer much of a sandbox and you're now relying on the OS to protect your data, right?

[soiax]

No. There is a reason the author keeps repeating "arbitrary code execution in the Chrome renderer process." Because it's there, not in the browser process.

[armchairhacker]

https://github.com/github/securitylab/tree/main/SecurityExpl...

> If successful, on Ubuntu 22.04, it should call launch xcalc when calc.html is opened in Chrome.

Then how does this work? It doesn't look like the provided build flags disable any sandbox that the distributed build doesn't.

[soiax]

You can disable it runtime, with --no-sandbox command line option.

[bri3d]

No. You're relying on the OS's sandboxing features, which are much, much more granular than just "the same user running the browser."

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/d...

[stephenr]

Google trying to cram everything including the kitchen sink into chrome probably doesn't help here.

Who in their right mind thinks it makes sense to have a desktop screen sharing system... built into a browser?

[ctz]

It makes sense once you realise that Chrome and Google benefit from increasing the complexity of web browsers. It means that new browsers cannot feasibly compete. It's basically an arms race of "how much mental shit can we throw in there"?

[stephenr]

I understand why they do it (I think it's probably more about pushing the idea of a browser as the thing people use for everything than competition with other browsers TBH), but I definitely wouldn't say it "makes sense".

[irundebian]

Just used in few days ago an it was very practical to use it instead of downloading some third party software. Since video conferencing apps are web-based it makes sense.

[tedunangst]

Can't fall behind on those javascript benchmarks.

[1oooqooq]

even that was marketing