Why use browsers which lag one or more release cicles?

Discussion in 'other software & services' started by Windows_Security, Dec 28, 2015.

  1. Comodo Dragon = 2 releases behind Chrome
    AOL = 1 release behind Chrome

    I am sure most forum members are aware that when you use for instance Comodo Chrome clone, you are using a browser with published and exploitable vulnabilities.

    Why would you do that? What is the appeal of these "security" browsers. Why don't they consider browsers like AOL, Comodo, Epic, etc a security risk?
     
  2. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    It's probably got something to do with personal preference. Each his own, so to speak. I would never, ever use any Comodo products, nor would it occur to me to use Google Chrome or any other Chrome-based browsers. I just don't like their products - but it's just me, it's just personal preference.
     
  3. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    With Windows I use the latest Chrome release, but with Linux, I use Firefox ESR.
     
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    No i dont consider them a security risk.
    Ask yourself..!
    What are the chances of actually coming across one of these "exploitable vulnerabilities.".?very slim i would imagine.
    How are they vulnerable and against what exactly.?

    Of course the user can harden the browser to be more secure.Personally i feel chrome has too much razzmatazz and bells and whistles to defend against highly unlikely encountered malware.

    Why on earth is sandboxing a browser such a high priority.....?
    I have never sandboxed a browser and dont intend to and im perfectly happy with pale moon which i consider a better browser than chrome.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    It's probably more likely a browser plugin/add-on will be exploited than the browser itself.
     
  6. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    How so?

    Please, understand something: Lagging behind does NOT mean being vulnerable. Once you support a particular release for a longer time you're able to study it's source code and search for vulnerabilities for a longer time. You're still able to port the security patches, and since no new (and possible vulnerable) features are being added, you're actually safer.

    So lagging behind is actually a very good thing. Just look at Debian Stable releases, for instance.
     
  7. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    Correct, but not applicable here. Comodo etc. essentially sits on Chromium technology--true lag. They add no more value/patches outside of Chromium and their rebrandings/extensions; Comodo/AOL are not creating "extended releases" nor creating patches that are not otherwise submitted to the Chromium devs. "You're still able to port the security patches"--no, true lag would not imply this and the basis of the problem.

    This creates two problems: adding superfluous unvetted code along with giving you Chromium tech/sec behind official release.
     
  8. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I'm not implying they're actually doing it, but rather saying it's possible and it's done by other projects. I don't know how COMODO/AOL operate their browsers.

    My point is that lagging behind doesn't mean being vulnerable.
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    The risk is minimal. I disable all automatic updating in any Chromium browsers I use and I'm often several versions behind the latest. The automatic updating conflicts with my ACL settings and causes problems. It requires a higher privilege level than I'm will to give it to work properly. My Windows systems are locked down and my browsers all have script blocking so I'm not really that worried about exploits. In the case of Chrome, I use it as a dedicated client for Google Voice and the only domains it visits are Google's. I did a lot of flag tweaking in addition to having uMatrix and Script Blocker installed and I once tried to use Chrome for Facebook but I had Chrome so tightly locked down and customized for Google that Facebook wouldn't work at all on it even with javascript enabled for its domains.

    I post this in Opera 12 which is no longer updated since a few years ago. In spite of that, I've never suffered an exploit with it in all these years it hasn't been updated.

    Updates are not a cure all in any sense. They just as often break things as fix them. They are not always just patches of vulnerabilities. I use the ESR releases of Firefox just because the updates are all security updates and I know I'm not going to suffer from broken extensions or other issues if I apply them.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I agree with others - risk of stumbling upon a site exploiting those vulnerabilities is extremely small. If you use some Adblocker chances are even smaller. Although updating software is a good security practice, IRL users rarely get hit by malware exploiting unpatched software.
     
  11. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Correct me if I'm wrong but doesn't Chrome ,after the vulnerabilities have been fixed, details in a changelog how the vulnerability happened and how can they be achieved? So, wouldn't any "bad guy" have an easier job in "attacking" a browser(Chromium-based) that didn't have those updates?
     
  12. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I use 360 Extreme Explorer which is not as up to date as Chrome. I do so because I have configured it to work how I want. This is something I cannot do with Chrome (or Firefox, or IE) without installing addons, as the standard configuaration options are too limited.
     
  13. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    211
    Sometimes because the latest and greatest may have introduced a bug that you will wait for them to fix.

    I don't know which version of Google Chrome it was but it would not load any local html files at all just said about:blank if you tried to load them.

    I used Comodo until google fixed their broken browser...

    If it don't work you must use something that does.

    Now with the changes in Firefox, I am keeping some of the older portable releases for when problems arise.

    rrrh1(arch1)
     
  14. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    In all probabilities we are all using vulnerable browsers and chrome is no exception.When the next chrome update occurs there will be several vulnerabilities patched etc.
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    Yes, but they will be undiscovered vulnerabilities, which can not yet be exploited.
     
  16. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    The point some of us are trying to make is that vulnerabilities are always present but the chance of exposure to an exploit that will use a vulnerability in a given system is pretty low. Security strategies that mitigate or at least minimize the effects of a broad range of exploits are more effective than continually patching for specific vulnerabilities.
     
  17. Best answers so far

    Post #07 @Sordid
    Post #11 @Azure Phoenix
    Post #15 @ Roger_m

    @MisterB
    The chance of being hit by any malware is low, but I thought that most malware was delivered through exploits (don't have the statistics at hand).
     
    Last edited by a moderator: Dec 30, 2015
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    IMO most malware is delivered by mail hoping that receiver will run an attachment or download offered on some website. IMO most infections happen when users run something they shouldn't.
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Exploits are one way of delivering malware but the process usually starts with some sort of social engineering of which email attachments are probably the most common. I kept a couple of examples I got recently which were coded directly in javascript and the attachments were .js files. They were fairly well done and most of the information in them that would be useful was encrypted and the bulk of the code consisted of math functions with keys to decrypt the real functions which are more than likely some sort of exploit and links to wherever the real payload will be downloaded.

    Exploits are certainly not the only way of delivering malware and it is much easier to trick someone into installing it than using messy exploits which can fail quite often in many ways. Most of the infected systems I've seen have been infected by the user installing the malware, mostly in the form of PUPs.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    The best and most accurate response imho. You could be running a browser that hasn't been updated in over a year, but you're still far more likely to incur infection via social engineering as opposed to a vulnerability being exploited in the browser.
     
  21. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Exploit, just like any automatic malware, works in a predetermined way, once you stop it at any time (like blocking scripting), it will fail to do its job.
    Like: Exploit - an user visits an infected webpages, exploit downloads itself to temp, runs via script, creates startup entry, runs exe after restart, etc.
    My browser is Chrome based as well and it is usually about 3 months behind, but I trust in my security setup, si it is worth using a better browser.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Perhaps the specific focus on browsers is a bit misguided, and should rather be directed at plugins instead? BTW, I endeavor to keep everything up to date, browser included, but I'd still be more concerned about outdated plugins than an outdated browser. Flash always seems to have a large bulls eye painted on itself.

    -https://www.recordedfuture.com/top-vulnerabilities-2015/
     
  23. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Chromium is under BSD licence, Comodo are under no obligation to release sources to any changes they make and distribute in their browser.
    Do you know for a fact that Comodo are more vulnerable for lagging versions ?
    The whole premise of this thread is based on speculation that Comodo does not make any significant changes to Chromium releases, but no-one so far has offered any evidence to back up the claims of the OP (a similar pattern I see on a LOT of threads in Wilders).
     
    Last edited: Dec 30, 2015
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    The premise of this thread as the title clearly states is about browsers in general and not specifically comodo dragon.
     
  25. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    these other browsers may focus on only applying the patches they need to keep the user safe rather than adding more and more features.
    I was listening to a podcast from Sophos recently about the fact that quite alot of products recently have a rolling release of both new features and security fixes. it feels more like a gamble these days to get the security fixes you could also get issues introduced with the new features.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.