![]() ![]() The thing is, we don't actually care about the whole OS, we care about the bits that interact with untrusted remote data, i.e. The OS still interacts with the OS far too much for static linking to make much of a difference. > The browser is a bloated beast that incorporates and reimplements so much of the OS. ![]() However, this would be considered a Chromium zero day.Ī zero-day which is non-exploitable in Windows 11 might be exploitable in Windows XP-this is what you loose by forgoing defense in depth-but it would be fixed in due time regardless. blit pixels on the screen-as does VMWare, which was the point of that comparison-and you could attack the OS via the pixel blitting function. Regardless, it's true that at some point Chromium will need to tell the OS to e.g. On Linux, you could decide to statically link everything and create a binary which literally doesn't touch userland-but I don't know if it's possible to go this far on Windows. For example, Chromium literally doesn't use the Windows SSL stack-it brings its own-so any and all SSL vulnerabilities on the Windows side are irrelevant. In the case of modern software designed for Windows XP, I absolutely consider static linking to be a very significant security measure, because every statically linked library decreases the amount of vulnerable userland code in use. Static linking is not typically a security measure because you would assume the host system's libraries are equally if not more up to date. ie this is safe enough for anything not important. But for most people this would appeal to, that isn't a risk worth accounting for. In the case of the latter, if your threat model includes targetted attacks then this browser on an older OS would clearly be the wrong choice. In the case of the former, most (nobody said "all") of the security concerns are sandboxed by the browser. It's literally just a HTTP header and there are numerous browser plugins that support doing just this.Īs I commented in another reply, we need to be clear about attack surface and threat model. ![]() > Heck, this Browser may even send a user agent that actually says it's some old windows that is no longer supported, lol. Maybe DNS? But the Browser can easily bypass the hosts DNS resolver so this is a solvable problem.īeyond that, the browser manages the rest. Have you got an CVEs to back that claim up? How does it? A buffer overflow in the TCP/IP stack? Maybe. > But assuming the Browser is secure, the browser communicates to the internet "hey here is an IP" that fact alone is a security risk as the attack may come directly to the OS not the browser. If you're so much wiser than the rest of us, then please do share these techniques that we've all missed. I don't recall seeing you comment on any techniques. > It's funny how you just mention some 20-year-old technique that even grandma knows about. Which part of the "OS" are you concerned about? Please be specific. > The OS accesses the internet, not the browser So the risk is now "just" code you import and run. The claim was it eliminates a chunk of risk (ie someone connecting to you from outside). > NOPE, some "firewall" in a consumer router does not suddenly make a 20+ year old OS secure. I get this is a topic you're passionate about but you're making a number of false assumptions. Take a moment to think about this please. It's not zero, no, but to say there's no use case and it's the same as running around in scissors blindfolded is a huge simplification. The likelihood of either Google or whatever very focused and targeted website I happen to visit to be serving XP malware is negligible.Īnd if it does get infected, congrats, you infected a VM with no connection to the host or shared folders that has no personal files and is powered up maybe 30 minutes per year. It's handy to have a modern browser at hand to not have to shuffle files around between the host and the VM, so you can do Google -> website of the tool in question (plus uBlock, so the main source of infection, ad networks, is taken care of). Anything more recent than XPis too heavy for x86 VM emulation on ARM and Win 10/11 ARM come with their own quirks that are not worth dealing with for my purposes. Old random utilities, random OEM software required to upgrade old devices' firmware, silly Win16 apps, the works. I use a XP VM on a ARM Mac as it's a handy way to run most Win16/32 exes that won't run properly in Wine. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |