An anonymous reader quotes a report from Ars Technica: Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted. The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices. "The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out," said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code Google prematurely published would be "pretty easy," although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane's disclosure to Google, two developers said in separate responses that it was a "serious vulnerability." Its severity was rated S1, the second-highest classification. Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, he learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code. Google representatives didn't immediately respond to an email asking how and why it published the vulnerability and if or when a fix would become available. The exploit works by abusing Chromium's Browser Fetch API to open a service worker that remains persistently active. A malicious website can trigger it through JavaScript, creating a connection that can be used "for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks," reports Ars. Depending on the browser, those connections "either reopen or remain open even after it or the device running it has rebooted," effectively turning the device into part of a "limited botnet."

Read more of this story at Slashdot.

The Brave browser "has introduced Brave Origin, a stripped-down version of its browser that removes built-in monetization features like Rewards and other extras tied to its business model," writes Slashdot reader BrianFagioli" The stripped-down browser is available either as a separate browser download or as an upgrade to the existing Brave install, unlocked through a one-time purchase that can be activated across multiple devices. The idea is simple on paper: pay once, and you get a cleaner, more minimal browsing experience without the add-ons that fund Brave's ecosystem. What makes the move unusual is the pricing model itself. While paying to support a browser is not controversial, charging users specifically to remove features raises questions about whether those additions are seen as value or clutter. The situation gets even stranger on Linux, where Brave Origin is reportedly available at no cost, creating an uneven experience across platforms and leaving some users wondering why they are being asked to pay for something others get for free.

Read more of this story at Slashdot.

After widespread backlash over its 2022 decision to remove JPEG-XL support, Google has quietly restored the image format in the latest Chrome/Chromium codebase. Phoronix reports: Back in December they merged jxl-rs as a pure Rust-based JPEG-XL image decoder from the official libjxl organization. At the end of December they did more JPEG-XL plumbing with the enums and build flags for the support. Now as of yesterday they wired up the JXL decoder! The jxl-rs-powered JPEG-XL image decoding is gated by the enable_jxl_decoder build flag but it's enabled by default.

Read more of this story at Slashdot.

A critical security flaw in Chromium's Blink rendering engine can crash billions of browsers within seconds. Security researcher Jose Pino discovered the vulnerability and created a proof-of-concept exploit called Brash to demonstrate the bug affecting Chrome, Edge, OpenAI's ChatGPT Atlas, Brave, Vivaldi, Arc, Dia, Opera and Perplexity Comet. The flaw, reports The Register, exploits the absence of rate limiting on document.title API updates in Chromium versions 143.0.7483.0 and later. The attack injects millions of DOM mutations per second and saturates the main thread. When The Register tested the code on Edge, the browser crashed and the Windows machine locked up after about 30 seconds while consuming 18GB of RAM in one tab. Pino disclosed the bug to the Chromium security team on August 28 and followed up on August 30 but received no response. Google said it is looking into the issue.

Read more of this story at Slashdot.

Recently the Browser Company (the startup behind the Arc web browser) switched over to building a new AI-powered browser — and its beta has just been released, reports TechCrunch, "though you'll need an invite to try it out." The Chromium-based browser has a URL/search bar that also "acts as the interface for its in-built AI chatbot" which can "search the web for you, summarize files that you upload, and automatically switch between chat and search functions." The Browser Company's CEO Josh Miller has of late acknowledged how people have been using AI tools for all sorts of tasks, and Dia is a reflection of that. By giving users an AI interface within the browser itself, where a majority of work is done these days, the company is hoping to slide into the user flow and give people an easy way to use AI, cutting out the need to visit the sites for tools like ChatGPT, Perplexity, and Claude... Users can also ask questions about all the tabs they have open, and the bot can even write up a draft based on the contents of those tabs. To set your preferences, all you have to do is talk to the chatbot to customize its tone of voice, style of writing, and settings for coding. Via an opt-in feature called History, you can allow the browser to use seven days of your browsing history as context to answer queries. The Browser Company will give all existing Arc members access to the beta immediately, according to the article, "and existing Dia users will be able to send invites to other users." The article points out that Google is also adding AI-powered features to Chrome...

Read more of this story at Slashdot.

BrianFagioli writes: The Linux Foundation has announced the launch of 'Supporters of Chromium-Based Browsers,' an initiative aimed at funding and supporting open development within the Chromium ecosystem. The purpose of this effort is to provide resources and foster collaboration among developers, academia, and tech companies to drive the sustainability and innovation of Chromium projects. Major industry players, including Google, Meta, Microsoft, and Opera, have pledged their support.

Read more of this story at Slashdot.

"After taking a look at Floorp Browser, I was left wondering whether there was a Chromium-based web browser that was as good, or even better than Chrome," writes a "First Look" reviewer at It's Foss News. "That is when I came across Thorium, a web-browser that claims to be the 'the fastest browser on Earth'." [Thorium] is backed by a myriad of tweaks that include, compiler optimizations for SSE4.2, AVS, AES, various mods to CFLAGS, LDFLAGS, thinLTO flags, and more. The developer shares performance stats using popular benchmarking tools... I tested it using Speedometer 3.0 benchmark on Fedora 39 and compared it to Brave, and the scores were: Thorium: 19.2; Brave: 19.5 So, it may not be the "fastest" always, probably one of the fastest, that comes close to Brave or sometimes even beats it (depends on the version you tested it and your system). Alexander Frick, the lead developer, also insists on providing support for older operating systems such as Windows 7 so that its user base can use a capable modern browser without much fuss... As Thorium is a cross-platform web browser, you can find packages for a wide range of platforms such as Linux, Raspberry Pi, Windows, Android, macOS, and more. Thorium can sync to your Google account to import your bookmarks, extensions, and themes, according to the article. "Overall, I can confidently say that it is a web browser I could daily drive, if I were to ditch Chrome completely. It gels in quite well with the Google ecosystem and has a familiar user interface that doesn't get in the way."

Read more of this story at Slashdot.

Google announced today that moving forward they will be allowing Rust code into the Chromium code-base, the open-source project that ultimately served as the basis for their Chrome web browser. Phoronix reports: Google is working to introduce a production Rust toolchain into their build system for Chromium and will be allowing Rust libraries for use within Chrome/Chromium. The timeframe for getting this all together is expected within the next year following a slow ramp. Google is backing Rust for Chromium to allow for simpler and safer code than "complex C++" overall, particularly around avoiding memory safety bugs. In turn using Rust should help speed-up development and improve overall security of the Chrome web browser. Initially they are focused on supporting interop in a single direction from C++ to Rust and for now will only be supporting third-party libraries for their Rust usage.

Read more of this story at Slashdot.

The Browser Company's Chromium-based Arc browser "isn't perfect, and it takes some getting used to," writes the Verge. "But it's full of big new ideas about how we should interact with the web — and it's right about most of them." Arc wants to be the web's operating system. So it built a bunch of tools that make it easier to control apps and content, turned tabs and bookmarks into something more like an app launcher, and built a few platform-wide apps of its own. The app is much more opinionated and much more complicated than your average browser with its row of same-y tabs at the top of the screen. Another way to think about it is that Arc treats the web the way TikTok treats video: not as a fixed thing for you to consume but as a set of endlessly remixable components for you to pull apart, play with, and use to create something of your own. Want something to look better or have an idea for what to do with it? Go for it. This is a fun moment in the web browser industry. After more than a decade of total Chrome dominance, users are looking elsewhere for more features, more privacy, and better UI. Vivaldi has some really clever features; SigmaOS is also betting on browsers as operating systems; Brave has smart ideas about privacy; even Edge and Firefox are getting better fast. But Arc is the biggest swing of them all: an attempt to not just improve the browser but reinvent it entirely.... Right now, Arc is only available for the Mac, but the company has said it's also working on Windows and mobile versions, both due next year. It's still in a waitlisted beta and is still very much a beta app, with some basic features missing, other features still in flux, and a few deeply annoying bugs. But Arc's big ideas are the right ones. I don't know if The Browser Company is poised to take on giants and win the next generation of the browser wars, but I'd bet that the future of browsers looks a lot like Arc.... In a way, Arc is more like ChromeOS than Chrome. It tries to expand the browser to become the only app you need because, in a world where all your apps are web apps and all your files are URLs, who really needs more than a browser? The article describes Arc as a power user tool with vertical sidebar combining bookmarks, tabs, and apps. (And sets of these can apparently be combined into different "spaces".) These are enhanced with a hefty set of keyboard shortcuts (including tab searching), along with built-in media controls for Twitch/Spotify/Google Meet (as well as a picture-in-picture mode). BR. Arc even has a shareable, collaborative whiteboard app "Easel". And it also offers powerful features like the ability to rewrite how your browser displays any site's CSS. ("I have one that removes the Trending sidebar from Twitter and another that cleans up my Gmail page.")

Read more of this story at Slashdot.

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome. Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium. It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report. The reason for the change goes as stated in the official package update announcement. Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

Read more of this story at Slashdot.

"The OS/2 community is getting close to obtaining a modern browser on their platform," writes Slashdot reader martiniturbide. In an announcement article on Monday, president of the OS/2 Voice community, Roderick Klein, revealed that a public beta of the new Chromium-based Otter Browser will arrive "in the last week of February or the first week of March." XDA Developers reports: OS/2 was the operating system developed jointly by IBM and Microsoft in the late 1980s and early 1990s, with the intended goal of replacing all DOS and Windows-based systems. However, Microsoft decided to focus on Windows after the immense popularity of Windows 3.0 and 3.1, leaving IBM to continue development on its own. IBM eventually stopped working on OS/2 in 2001, but two other companies licensed the operating system to continue where IBM left off -- first eComStation, and more recently, ArcaOS. BitWise Works GmbH and the Dutch OS/2 Voice foundation started work on Otter Browser in 2017, as it was becoming increasingly difficult to keep an updated version of Firefox available on OS/2 and ArcaOS. Firefox 49 ESR from 2016 is the latest version available, because that's around the time Mozilla started rewriting significant parts of Firefox with Rust code, and there's no Rust compiler for OS/2. Since then, the main focus has been porting Qt 5.0 to OS/2, which includes the QtWebEngine (based on Chromium). This effort also has the side effect of making more cross-platform ports possible in the future.

Read more of this story at Slashdot.

Support for Microsoft's original Edge browser is ending today. Legacy Edge, as it is now called, will no longer receive security updates, and anyone still using it should start the process of switching to something else. The Verge reports: Legacy Edge was originally codenamed "Spartan" and was included with Windows 10 as the operating system's default web browser before it was officially named Edge. The Edge mantle is being taken up by Microsoft's Chromium-based browser, which was in beta throughout 2019 and officially launched in January 2020. This means Edge (the old Edge, that is) survived just over a year alongside its replacement. Microsoft also says Legacy Edge will automatically be removed by the April Windows 10 update, with the new Edge being installed in its stead.

Read more of this story at Slashdot.

The Google-sponsored Chromium project has cleaned up its act, and the result is a marked decline in queries to DNS root servers. From a report: As The Register reported in August 2020, Chromium-based browsers generate a lot of DNS traffic as they try to determine if input into their omnibox is a domain name or a search query. Verisign engineers Matthew Thomas and Duane Wessels examined the resulting traffic and reached the conclusion that it accounted for up to 60 billion DNS queries every day. Wessels has since penned a new post that went unreported when it appeared on January 7 -- the day after the US Capitol riot -- but was today resurfaced by APNIC, the Regional Internet Registry for the Asia-Pacific region. In the post he says the Chromium team redesigned its code to stop junk DNS requests, and released the update in Chromium 87. The result? "Before the software release, the root server system saw peaks of ~143 billion queries per day," he wrote. "Traffic volumes have since decreased to ~84 billion queries a day. This represents more than a 41 per cent reduction of total query volume."

Read more of this story at Slashdot.

"The South African Revenue Service (SARS) has released this week its own custom web browser," reports ZDNet, "for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms." To prevent the app from continuing to be used in the real-world to the detriment of users and their security, Adobe began blocking Flash content from playing inside the app starting January 12, with the help of a time-bomb mechanism... As SARS tweeted on January 12, the agency was impacted by the time-bomb mechanism, and starting that day, the agency was unable to receive any tax filings via its web portal, where the upload forms were designed as Flash widgets. But despite having a three and a half years heads-up, SARS did not choose to port its Flash widgets to basic HTML & JS forms, a process that any web developer would describe as trivial. Instead, the South African government agency decided to take one of the most mind-blowing decisions in the history of bad IT decisions and release its own web browser. Released on Monday on the agency's official website, the new SARS eFiling Browser is a stripped-down version of the Chromium browser that has two features. The first is to re-enable Flash support. The second is to let users access the SARS eFiling website. As Chris Peterson, a software engineer at Mozilla, pointed out, the SARS browser only lets users access the official SARS website, which somewhat reduces the risk of users getting their systems infected via Flash exploits while navigating the web. But as others have also pointed out, this does nothing for accessibility, as the browser is only available for Windows users and not for other operating systems such as macOS, Linux, and mobile users, all of which are still unable to file taxes.

Read more of this story at Slashdot.

Google is loosening control over the core of its Chrome browser, a move that helps Microsoft, Samsung and Brave build competitors while advancing the search giant's vision of the web. From a report: Over the past six months, Google welcomed a new outside developer into the leadership of its Chromium project, the software that powers the similarly named browser. The Alphabet subsidiary is also granting outsiders access to its previously proprietary software development system and allows outside features even when Google doesn't incorporate them into the flagship Chrome browser. Chromium is open-source software, which means anyone can modify and use it. Even with open source projects, however, outsiders can have trouble convincing organizers to accept their changes and additions, making it harder to contribute and benefit. Google took pains to draw attention to the changes at the BlinkOn conference earlier this week. "It's really cool to see so many people and groups with different priorities coming together and finding solutions that not only meet their individual agendas but also advance the common goal of improving the web," said Danyao Wang, a Chrome engineer at Google.

Read more of this story at Slashdot.

Mint's programmers, led by lead developer, Clement "Clem" Lefebvre, have built their own take on Google's open-source Chromium web browser. ZDNet reports: Some of you may be saying, "Wait, haven't they offered Chromium for years? Well, yes, and no. For years, Mint used Ubuntu's Chromium build. But then Canonical, Ubuntu's parent company, moved from releasing Chromium as an APT-compatible DEB package to a Snap. The Ubuntu Snap software packing system, along with its rivals Flatpak and AppImage, is a new, container-oriented way of installing Linux applications. The older way of installing Linux apps, such as DEB and RPM package management systems for the Debian and Red Hat Linux families, incorporate the source code and hard-coded paths for each program. While tried and true, these traditional packages are troublesome for developers. They require programmers to hand-craft Linux programs to work with each specific distro and its various releases. They must ensure that each program has access to specific libraries' versions. That's a lot of work and painful programming, which led to the process being given the name: Dependency hell. Snap avoids this problem by incorporating the application and its libraries into a single package. It's then installed and mounted on a SquashFS virtual file system. When you run a Snap, you're running it inside a secured container of its own. For Chromium, in particular, Canonical felt using Snaps was the best way to handle this program. [...] Lefebvre wrote, "The Chromium browser is now available in the official repositories for both Linux Mint and LMDE. If you've been waiting for this I'd like to thank you for your patience." Part of the reason was, well, Canonical was right. Building Chromium from source code is one really slow process. He explained, "To guarantee reactivity and timely updates we had to automate the process of detecting, packaging and compiling new versions of Chromium. This is an application which can require more than 6 hours per build on a fast computer. We allocated a new build server with high specifications (Ryzen 9 3900, 128GB RAM, NMVe) and reduced the time it took to build Chromium to a little more than an hour." That's a lot of power! Still, for those who love it, up-to-date builds of Chromium are now available for Mint users.

Read more of this story at Slashdot.

Last month, Microsoft officials said they'd release a preview of the new Chromium-based Edge browser for Linux some time in October. On October 20, Microsoft made good on the promise, making available the Edge Dev Channel build for Linux. ZDNet reports: The new release supports Ubuntu, Debian, Fedora and openSUSE Linux distributions. Microsoft is planning to release weekly builds, like it does with the Dev Channel builds for other platforms. To get started, users can download and install a .deb or .rpm package directly from the Edge Insider site, which will configure a system to get future automatic updates. Or users can install Edge from Microsoft's Linux Software Repository. More detailed instructions are available on Microsoft's Chredge-on-Linux blog post.

Read more of this story at Slashdot.

Forbes looks at new features Microsoft added to Edge "as it looks to beat Chrome in the browser wars." It's now going to be possible to search for work files directly inside the Edge browser directly from the address bar. To use this you need Microsoft Search configured, then type "work" and press the Tab key to search your company's network for your work files. Another work-related Microsoft Edge update is also about to launch to let IT admins manage specific work related apps on user devices as well as the browsing users do from their Work Profile in Edge. Integration with other Microsoft products is a key factor as the IT giant looks to entice more business users to use the updated Edge browser. Edge now supports native policies for Microsoft Endpoint Data Loss Prevention, which are used to find and protect sensitive items across Microsoft 365 services, Microsoft said in a blog highlighting the firm's security credentials. Another soon to launch feature of note highlighted by Bleeping Computer is Sleeping Tabs, which Microsoft says can improve memory usage by up to 26%. It can also reduce CPU usage by 29% potentially resulting in battery savings... The browser is also adding security features such as alerts for the Edge password monitor if a compromised password is detected.

Read more of this story at Slashdot.