Cross reference (very)
I think somebody was bleating about Open Source security failures recently.
If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers. Details are intentionally scant until enough of …
I wonder if Google'w bureaucratically minded approach was already being used for the browser's updates...
If so, I'll LAUGH EVEN HARDER!
maybe they'll bother to fix another memory bug I've observed (and others online have been reporting for YEARS), where [under certain conditions] if you leave a page open that frequently "phones home" and does a periodic query across the network (let's say updating status text, like a weather monitor), that in a particular use case the memory footprint will slowly increase until something crashes. It's been like this, since, forever I think.
A very insightful comment. Although the real operating system should simply manage the memory and stack getmains, and terminate the task when it exceeds some threshold. A three line recursive function should not crash the system! However bad players are now doing exactly that, repeating for each keyword/function that drive under-the-cover privileged connections.
Calling OS security as fast as you can, recursively is an excellent test. One dumb govt entity decided 'forms' was the way to go, with each field needing a call to see whether or not to display that field! The 1 minute response times to display that form .. classic.
You allude that when a network connection breaks or server not responding orphaning memory or token passes, or some variant of sticky not-quite-a-cookie. I can tell you IBM MVS solved this by having doubly linked lists, and checking counters for each push/pop, and tracking total memory use by pools - that also generated warnings. That was 45 years ago or longer.
Going forward Google needs to spend time on memory housekeeping, because programmers seem to only look at adding cruft, without the big picture. IBM created about 10 different ways to cancel a task, and several ways to FORCE terminate things with prejudice. And sometimes free Whiskey for reporting extremely rare one byte memory leaks to system programmers.
There are more than 2 browser engines. So its not just Firefox users that can benefit from not being based on the Chromium based browser.
The biggest none Chromium based browser is Safari which comes as the default browser on every Apple device so has millions of active users.
I use Linux though so its not available on that platform, but I could install Konqueror and set it to use webkit engine
By the same token, we can fix all those browsers with one patch imported to them all, and we have however-many-more independent eyes looking at the code for problems.
The second you use a shared library, you have a "mono-culture" as you say.
The problem with IE was not the mono-culture... in fact the problem with IE was almost the opposite. No other browser used IE as its base, nobody was able to review the code, and yet it was often used as the default underlying things like basic web protocol association in local software / help files showing just plain HTML files.
The BIGGER problem with IE is that it had no reasonable permissions layer or restrictions and almost anything could shove an ActiveX control of its choice in your face with full user permissions. Software used to use it, websites used to use it, and malware used to use it. A security layer problem that was basically never properly solved until they actually removed IE / ActiveX itself.
Chrome doesn't have that - the browser DOM is pretty much locked down and even where you choose to do stupid things, you have to jump through hoops and the layering and the permission control is so much better than ActiveX ever had. Nowhere near perfect but so long as you don't install stuff that needs "to read all your websites" (a permission that never should have existed and is being phased out), the browser DOM contains things pretty damn well. It's almost a virtual machine.
If you want a demo, program something in Emscripten which converts to Webassembly or asmjs. You'll find that you can't access local files, you can't send arbitrary packets, you can't get into the user's machine and you can't do quite a lot of stuff. But you have functionality enough to write an online, multiplayer, 3D-accelerated game with sound and mouse/keyboard control. Just nothing that allows you to do anything you DON'T need to do, and nothing that the user can't just close the tab to get rid of.
"No other browser used IE as its base, "
IE was the base.
Yes Netscape Navigator was around, but due to the shady dealings by MS it got shunted to the side. Hence the lawsuit in 2001 which found that MS hindered users and OEMs from uninstalling IE as part of their attempts to maintain their monopoly in the OS market.
Basically you used IE or found websites behaving in odd and unpredictable ways along with warnings like; "Best viewed using Internet Explorer."
I was around then.
I started on Netscape, if you don't count DOS-based gopher-ing. Then Opera, probably, then Firefox, then Chrome and Chrome-based browsers.
I have never used IE in my life outside of literally stupendous banking websites that required it to plug in their own ActiveX for a card-reader in ridiculous ways "for security" as part of my work on finance systems. Otherwise, I've never loaded it in my life, except accidentally.
There wasn't a point at which IE was necessary for day-to-day browsing (My Amazon account is 20 years old this year, I think) except on tiny niche sites that deliberately made that decision, but my point was really that nobody ever made an "IE-clone" that used IE underneath it, like people use Chromium to make other browsers now.
I went to look at the bug page, but gave up.
Showed FA (as I have most JS off, just a few things whitelisted).
Thought, I'll give it benefit of the doubt, but cautiously enabling one thing led to whole cascade chains of other script s needed to view the page, so I gave up.
.. I only wanted to find out if browsing with JS off protected you from the bug, but a bit of a catch-22 to find out
Why can't Goolge step up to the plate? I understand it can feed user pre-selected false bogus garbage to the mothership.
Nah, maybe not for google who do not want to give end users actual security granularity, or deny tracking.
So far, not a single app that will scramble secretive backchannel data exfiltrations. Nice to know botnets are now using this for C&C, as it gets past filtering.
I'm generally loving Firefox developer edition although it can be a bit of a resource hog (which isn't really any different from Chrome TBH).
I was really chuffed to discover 'about: memory' the other day, which not only can give you a very detailed analysis of RAM usage but also has a button to minimise memory usage that actually seems to work.
blocking script is the only way to be "safe". Unfortunately a lot of sites break when you do this. Although I can avoid them 99% of the time, I still have a "special login" that runs without noscript, for those times when I have to cave to their nonsense.
Hint to El Reg: Script is why ads should be showing up on my browser, but they don't. You could fix that, and ALSO show the world that you do NOT need script in ads. Win-Win
Script is why ads should be showing up on my browser, but they don't.
I fear that might be an ad blocker or an extension or something else, as most of our ad fragments contain a "noscript" tag which ought to deliver image-based ads to users with JS disabled.
Some extensions break that scenario as while they do block scripts from being executed, they don't seem to also properly allow "noscript" tags to be executed :/
If you want to block all JS, you can configure your browser to do just that. Noscript is something else, and it's much harder for us to work around (and show ads to people who want to keep JS "disabled" but would still be fine seeing ads).
Well, at least Eich apologized for the lax security standards in JS when he got raked over the coals about it on HackerNews and there actually are certain functions in the language that he would not add if he could go back and redo it. Unfortunately too much has been built on it and we're all royally shafted by every bad actor and advertising nitwit as a result.
Biting the hand that feeds IT © 1998–2021