Deprecated Google announced to remove Theora video codec support from Chromium

nicolaasjan

Level 5
Thread author
Verified
Well-known
May 29, 2023
210
Chrome will deprecate and remove support for the Theora video codec in desktop Chrome due to emerging security risks. Theora's low (and now often incorrect) usage no longer justifies support for most users.

Notes:
- Zero day attacks against media codecs have spiked.
- Usage has fallen below measurable levels in UKM.
- The sites we manually inspected before levels dropped off were incorrectly preferring Theora over more modern codecs like VP9.
- It's never been supported by Safari or Chrome on Android.
- An ogv.js polyfill exists for the sites that still need Theora support.
- We are not removing support for ogg containers.

Our plan is to begin escalating experiments turning down Theora support in M120. During this time users can reactivate Theora support via chrome://flags/#theora-video-codec if needed.

The tentative timeline for this is (assuming everything goes smoothly):
- ~Oct 23, 2023: begin 50/50 canary dev experiments.
- ~Nov 1-6, 2023: begin 50/50 beta experiments.
- ~Dec 6, 2023: begin 1% stable experiments.
- ~Jan 8, 2024: begin 50% stable experiments.
- ~Jan 16th, 2024: launch at 100%.
- ~Feb 2024: remove code and chrome://flag in M123.
- ~Mar 2024: Chrome 123 will roll to stable.

Of course Mozilla will follow...

The codec is still used on e.g. older Wikipedia pages (example).


Discussion.
Note that WMF already has webm/VP9 support for all videos (and soon mp4/VP9 hls), so we don't depend on theora (and haven't for a while already). Having said that, native support is useful for direct playback of the original uploads, which I guess will then require people to download VLC media player to do so. It is sad and a bit disappointing, that even something like Chrome is not able to maintain multiple codecs. Just thinking about how much 'original' material in Internet archive and Wikimedia Commons is stored in this format, and the amount of training and demo site that likely still use it.
 
Last edited by a moderator:

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
The Theora video compression codec is finally being put out to pasture as Google pulls it from Chrome and Mozilla mulls the same for Firefox.

It's been a while coming. Theora first showed up nearly 20 years ago, but more than a decade has passed since any serious development was done. In light of an increasingly chalenging security environment, browser makers are always considering where the next hole might be lurking.

It was only in September that Google and Mozilla had to rush out fixes for a webp vulnerability. With few updates over the years, Theora's codebase could pose various risks from potential malware exploits.

According to the Chrome platform development team: "A spike in zero day attacks against media formats has caused us to reevaluate our support for legacy codecs."

The other factor is the codec's low usage. Google noted it had fallen below measurable levels, certainly when compared to more modern codecs, such as VP9. Support for the Ogg container format, also maintained by the Xiph.org foundation, is not being removed.

The rest
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top