Security? (Chromium versus Firefox)

Ditto. In an MS Windows scenario paired with a decent AV and Sandboxie, the security differences between FF and Chromium are illusory and arguably a mere matter of preference.

 

Here's a comparison between the Firefox and Chromium sandboxes:
https://madaidans-insecurities.github.io/firefox-chromium.html

At least for Fedora, Chromium in the repos doesn't get updated fast and they sometimes skip minor updates as well, even if those contain security fixes. And I don't want to use Google Chrome. Ungoogled Chromium used to be a nice choice, but they dropped support for repo installed versions for most distributions.

 

march 22, 2022 is concerning firefox rather old. so some facts in that article are no longer valid.
- firefox has site isolation, also cookie boxing (like chrome)
- firefox has integrity level "low" and also "untrusted", mother process "medium". while chromium has few "high", most untrusted and some low.
- firefox has win32k isolation
- firefox has gpu sandboxie, like chrome

that article is overall not true.

 

I knew about that. It requires using keyboard to open the menu, plus double-clicks to drill down through it. Chromium has an extension that gives a bookmark menu as a mouse click-spot, with single-clicks to drill down. MUCH faster & no keyboarding for an action that I must do very frequently.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This thread compares security of Firefox (FF) versus Chromium (Ch) whereas you are comparing FF vs Ch vs {Any FW + Sandboxie +AV}.

Most everyday users have "a decent AV" but not so many use Sandboxie. Thus your comparison is apples to wheelbarrows.

Furthermore, your comment is OS-specific to Windows whereas this thread applies to any & all OS where FF & Ch both are available.

Furthermore, your statement, "security differences between FF and Chromium are illusory" provides no support whatsoever for your assertion. Others have offered supporting links and fact-based information. Much more helpful, those.

 

I agree. That article is not wrong everywhere but pleases itself in exaggerating and creating click-baits. And it is, at least partially, out-of-date. Like you said, the win32k isolation mentioned in 1.2. is available, and the X11 sandbox escape mentioned in 1.3.1 is also fixed.

Mentioning open bugs in site isolation is not particularly helpful as that doesn't tell anything how critical these bugs are. There are certainly open (security) bugs in Chrome as well. Similarly, comparing which syscalls are blocked doesn't tell the whole truth. That article doesn't mention at all the RLBox sandbox and the Rust portion in the Firefox code, not to mention the fact that the "recommended" add-ons in Firefox are much safer than the ones in Chrome where a lot of malicious add-ons have been detected in the past years.

Let's face it: The number of CVEs in Firefox has been consistently and considerably lower than the one for Chrome in the past years, so one could question if security in Chrome is really that much better. Some people say: That's not surprising as the market share of Chrome is much higher making that browser a more interesting target. That's possible. Another explanation could be that some security mechanisms in Firefox, like the rendering engine completely written in Rust, make whole classes of attacks void.

 

Yes the article is outdated, I did not mention that since the date is clearly stated at the top.
It also sounds somewhat exaggerated, but it does give insight into the sandbox differences. Chrome(ium) has the advantage of being a relatively new browser and being designed with multiprocess from the start. That leaves Firefox with a lot of catchup to do. Site isolation for example arrived in Firefox 3,5 years later than in Chrome. I'm glad that Firefox is improving, I use both and am not favored to one of them.
Also note that while Firefox is playing catch-up, Chrome is likely not sitting still either, so the maybe they keep staying ahead regarding sandboxing.

It does mention this at section 3.

 

This is from Mandiant's latest report on zero days being exploited in 2022. I haven't read it all yet, but they do come to the conclusion that more popular software are not surprisingly more often being exploited, but it's not clear to me yet how many zero days were found in for example Firefox and Chrome.

https://www.mandiant.com/resources/blog/zero-days-exploited-2022

 

@Rasheed187 -- Very VERY interesting article. Thank you to the nth for linking it.

 

Firefox for the win! I've got mine hardened with a custom user.js

Compare broswers:
https://privacytests.org/

Arkenfox custom user.js to harden Firefox:
https://github.com/arkenfox/user.js
https://github.com/arkenfox/user.js/blob/master/user.js
https://github.com/arkenfox/user.js/wiki

Narsil custom user.js for ultimate hardening (I use this one):
https://git.nixnet.services/Narsil/desktop_user.js
https://git.nixnet.services/Narsil/desktop_user.js/src/branch/master/user.js

My addons:
CanvasBlocker
Skip Redirect
Smart Referer
uBlock Origin (add 'Actually Legitimate URL Shortener Tool' filter list)

DNS:
Control D
https://controld.com/free-dns?

 

Yes no problem, perhaps it deserves its own topic. But where this article lacked is that they didn't mention how many zero days were found in Chrome and Firefox, they only mentioned how many of them were actively being exploited, so you can't draw any conclusions which of these browsers are more vulnerable. Same goes for Windows vs macOS, the latter was being exploited less, but it's probably because it has a marketshare of only 10%, know what I mean?

 

Also make sure to check out this new feature in Firefox, quite cool that you can now block third party DLL injection. This should be able to interere with malware trying to hijack the browser, I don't believe that Chrome/Chromium has such a feature:

https://www.wilderssecurity.com/threads/mozilla-firefox.388154/page-37#post-3139606

 

https://www.ghacks.net/2017/12/01/google-to-block-third-party-code-injections-in-chrome/

 

Yes, true. On the other hand, these figures correspond with the CVE numbers mentioned here. In the past years since implementing their new architecture and the rendering engine written in Rust, the Firefox CVE numbers are consistently lower than the ones for Chrome.

 

LOL, my bad, so this is nothing new. Also, I've done some reading about how Chrome and Firefox can block DLL injection, and it's NOT done in realtime and won't help against more advanced DLL injection techniques. So it's not THAT impressive on second thought, because it most likely won't block malware, at least not in realtime, like behavior blockers do.

 

Yes good point, I must have missed your earlier post. But I'm not sure how I should interpret this info, what are the most serious bugs? In the last 4 years, Firefox had 16 code execution bugs, I suppose these are the ones that could be exploited when combined with a Windows OS privilege escalation bug. And Chrome had 32 code execution bugs, but zero in the last few years, so that can't be right. I'm guessing overflow and memory corruption bugs are also used to exploit browsers, so here an overview:

Firefox (2019 till 2022):

Code execution: 16
Overflow: 40
Memory Corruption: 120

Chrome (2019 till 2022):

Code execution: 32
Overflow: 115
Memory Corruption: 125

 

Interesting, running Flatpak ungoogled-chromium Version 112.0.5615.49 (64-bit) on Linux MX-21, entering chrome://sandbox:


Nice