Firefox and Chromium - Security Weaknesses Compared

[HarborFront]

Found this article comparing the security weaknesses of FF to Chromium. Hopefully it's still valid

Firefox is sometimes recommended as a supposedly more secure browser because of its parent company's privacy practices. This article explains why this notion is not true and enumerates a number of security weaknesses in Firefox's security model when compared to Chromium. In particular, it covers the less granular process model, weaker sandboxing and lack of modern exploit mitigations. It is important to decouple privacy from security — this article does not attempt to compare the privacy practices of each browser but rather their resistance to exploitation.

Section 1 explains the weaker process model and sandboxing architecture. Section 2 examines and compares a number of important exploit mitigations. Section 3 discusses some miscellaneous topics. Finally, section 4 provides links to what other security researchers have said about this topic.

Contents​

1. Sandboxing
2. Exploit Mitigations
3. Miscellaneous
4. Other Security Researchers' Views on Firefox

Read the whole article here

Firefox and Chromium | Madaidan's Insecurities

 

[WhiteMouse]

There're some improvements since the last time the article updated but the maintainer abandoned it.

Firefox improvements · Issue #64 · madaidans-insecurities/madaidans-insecurities.github.io

The central thesis of the Firefox versus Chromium article still stands, but some details have changed to narrow the gap between the two. The most significant one: Mozilla has been working on a "uti...

github.com

 

[ForgottenSeer 97327]

@HarborFront, thanks did not know about CIG being optional for network service, added thanks

Spoiler: Edge policy settings in registry

 

[silversurfer]

Firefox and Chromium | Madaidan's Insecurities

Honestly, it's well-known since years that Chromium-based browsers are more secure but since the last two years the difference to Firefoy became far smaller

One thing must be mentioned about this blog Madaidan's Insecurities, the author being rather something like "die-hard" user of Chromium browser technology, so there will be never really objective facts about Firefox. The author either ignored or just forgot to add improvements of Firefox. Here are a few links from Mozilla:

Implications of Rewriting a Browser Component in Rust – Mozilla Hacks - the Web developer blog

Since our first release in 2002, there have been 69 security bugs in Firefox’s style component. If we'd had a time machine and could have written this component in Rust from the start, 51% wouldn't have happened. That said, Rust is not foolproof. Developers still need to be aware of correctness...

hacks.mozilla.org

Securing Firefox with WebAssembly – Mozilla Hacks - the Web developer blog

Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission. While we continue to make extensive use of both sandboxing and Rust in Firefox to address ...

hacks.mozilla.org

WebAssembly and Back Again: Fine-Grained Sandboxing in Firefox 95 – Mozilla Hacks - the Web developer blog

In Firefox 95, we're shipping a sandboxing technology called RLBox — developed with researchers at UC San Diego and the University of Texas

hacks.mozilla.org

Introducing Firefox’s new Site Isolation Security Architecture – Mozilla Hacks - the Web developer blog

With Site Isolation enabled on Firefox for Desktop, Mozilla takes its security guarantees to the next level.

hacks.mozilla.org

Improved Process Isolation in Firefox 100 – Mozilla Hacks - the Web developer blog

Firefox uses a multi-process model for additional security and stability while browsing. Web Content is rendered in separate processes.

hacks.mozilla.org

 

[ForgottenSeer 97327]

@silversurfer

Big advantage RUST has over C and C++ is that it has memory safety (so when you define a table with for instance 10 rows, you can't access the 11th row in Rust). So in terms of exploit protection, the author should have taken into account, I thought that 20 percent of the (low level) system code is written in Rust, but I also thought that most of the the Rust team were fired in the large round layoffs of 2020.

Firefox was regaining some of the backlog it had in terms of security until Microsoft decided to base Edge on Chromium and started to implement 'old-Edge' security mechanisms into Chromium. So despite Mozilla publishing all sorts of positive articles on how they gain back security momentum, I am afraid they lost half of what they regained since Microsoft added its development manpower to Chromium.

 

[Arequire]

Firefox being less secure in theory doesn't equate to it being less secure in practice. The article's fearmongering.

 

[Freki123]

With that headline I would also expect an comparison of the reported zerodays for both browser from the author of that article.

 

[ForgottenSeer 97327]

To put it in perspective, when you update your software the chance of being victim of browser zero day with browser A is 0,00000000000000000000000000000001299 versus 0,00000000000000000000000000000001095 with browser B. When I step in my car I have a bigger chance of getting an accident

 

[upnorth]

With Firefox 110, users can block third-party DLLs from being loaded into Firefox. This can be done on the about:third-party page, which already lists all loaded third-party modules. The about:third-party page also shows which third-party DLLs have been involved in previous Firefox crashes; along with the name of the publisher of the DLL, hopefully this will let users make an informed decision about whether or not to block a DLL.

If blocking a DLL causes a problem, launching Firefox in Troubleshoot Mode will disable all third-party DLL blocking for that run of Firefox, and DLLs can be blocked or unblocked on the about:third-party page as usual.

Letting users block injected third-party DLLs in Firefox – Mozilla Hacks - the Web developer blog

Users can now block poorly behaving third-party DLLs in Firefox to improve stability and performance.

hacks.mozilla.org

 

[silversurfer]

@silversurfer

Big advantage RUST has over C and C++ is that it has memory safety (so when you define a table with for instance 10 rows, you can't access the 11th row in Rust). So in terms of exploit protection, the author should have taken into account, I thought that 20 percent of the (low level) system code is written in Rust, but I also thought that most of the the Rust team were fired in the large round layoffs of 2020.

Firefox was regaining some of the backlog it had in terms of security until Microsoft decided to base Edge on Chromium and started to implement 'old-Edge' security mechanisms into Chromium. So despite Mozilla publishing all sorts of positive articles on how they gain back security momentum, I am afraid they lost half of what they regained since Microsoft added its development manpower to Chromium.

Well, I partially agree, Mozilla probably will be never getting the better security momentum, the market share difference is one reason, so Firefox will stay as 3rd at best in browser ranking (Chrome 1st, Edge 2nd). Another reason as you mentioned, Google and Microsoft both has a lot of more workers for development and that is their big advantage. The question is how many people are working on development of Firefox about that we can just guess...

From my point of view, all links from Mozilla what are added by me in my first post #4 these articles aren't meant as that Firefox would provide higher level of security compared to Chrome/Chromium based browsers, that would be a false interpretation, just facts what Mozilla has been implemented to improve step by step the security of Firefox.
About the difference between official articles from Mozilla or this one blog post from Madaidan's Insecurities, people have either to trust the one or the other, it's simple like that

 

[ScandinavianFish]

Its honestly like saying Mac or Linux are more secure than Windows. Windows litterally make up 85% of the market shares, so of course it will be more targeted and thus seem less secure.

 

[WhiteMouse]

The number 3 point is false. Rust has already supported Control Flow Integrity since 1.49. And by the time he updated the article in March 2022, Rust is already at version 1.60 (I think?).

@Max90 I think there's only 2 things that Microsoft added on top of Chromium: AppContainer and MDAG. The second is more useful to me, everytime I use MDAG I feel like God, I can do whatever I want without getting infected.

 

[Trident]

With that headline I would also expect an comparison of the reported zerodays for both browser from the author of that article.

Same, the article instead focuses on sandboxing and other Chrome security features, many of which we’ve been reading about since 2008-2009. It’s like the Apple vs Windows comparisons that go like “Oh yeah, Apple has GateKeeper but then Microsoft has SmartScreen, Apple designs both the software and hardware so this gives them an advantage” and all these facts we’ve known for long. Nothing useful to learn.

Lately there has been an increase in the number of Chrome exploits. The Chromium engine is very widely deployed and as such is extremely targeted. These exploits are normally short lived and quite expensive. Still though, the number of CVEs reported in Firefox is double the number of that in Chrome.

Google Chrome : Security vulnerabilities, CVEs Code Execution

Security vulnerabilities of Google Chrome : List of vulnerabilities affecting any version of this product vulnerabilities leading to a code execution

www.cvedetails.com

Mozilla Firefox : Security vulnerabilities, CVEs

Security vulnerabilities of Mozilla Firefox : List of vulnerabilities affecting any version of this product

www.cvedetails.com

 

[Zappathustra]

I've never seen Firefox being recommended as more secure than Chromium - actually, it's not.

Firefox is more private - this one of the reasons why it remains my daily driver for years.

 

[Azure]

Well, that was an interesting info that was referenced on the Tor browser

Using Tor Browser as your primary browser is a bad idea because it's way behind ... | Hacker News

news.ycombinator.com