Brave-browser: Chromium needs to be updated in a more timely fashion to avoid security issues
Before I start, I would like to make it clear that I do not want to attack the project, but to give some critical observations. Hopefully that will stop this from turning into a flame war or anything like that.
Brave uses chromium as its base. Currently, Brave stable 1.9.80 is on chromium 81.0.4044.138 which was released on the 1st of May. Chromium's stable tag is currently 83.0.4103.97. Sure, there are tons of ways where there can be delays in shipping an updated version of chromium, that's to be expected, but running the browser on a 46 day old version?
Microsoft Edge, as an example, took 4 days to fix CVE-2020-6493. Brave stable is still vulnerable to this CVE, 13 days after the stable chromium tag fixing it, 83.0.4103.97, was released.
Why is this an issue? Well currently in the latest release version of Brave, at least 43 CVE's are present in its chromium base. CVE's are not all however, Google's usage of clusterfuzz to find potential security issues and fix them has also been potentially missed out.
How can Brave justify saying that the user will 'Experience unparalleled privacy and security' when it is providing an insecure release of chromium to the user? This project is seriously awesome at it's concept, but when it can't nail basic things like having a good response time to update it's chromium core in a timely fashion, how can people who are knowingly aware of this gaping hole in it's security endorse it?
flawedworld
All 5 comments
This is about to become a significant issue for me, since my company uses DUO software to ensure browsers are constantly up to date. If Brave doesn't update within 3 days, I'm going to have to drop it and go back to vanilla Chrome.
bwilder
on 15 Jun 2020
Chromium skipping 2 versions and the macro environment hit us unusually hard. We've added resources to get more on track here. We're updating Release channel today. We'll definitely be more on track on the future updates. Since the work for getting caught up is already on Nightly and Beta and is going to Release today, I'll close this issue since there is no extra action needed. Thanks for flagging.
bbondy
on 15 Jun 2020
@bbondy Thanks for the quick reply, I will definitely be keeping a close eye on the situation. Hopefully the extra resources into managing this will prevent a repeat of it, my personal suggestion would be to perhaps automate updating brave's chromium core using a python script for example to parse stable chromium releases every hour and trigger a CI so that it can be tested right away. Perhaps such a solution would reduce the lag in pushing security updates as QA would be presented with builds on the dot to test. Just my thoughts.
flawedworld
on 15 Jun 2020
just wanted to say we recognize this is our fault and that it is a serious security concern. we aim for a maximum of 2 weeks lag from the chromium stable releases and usually can do it within a day or so. sorry that this one is going out 4 weeks behind.
FWIW chromium security issues have a 14-week embargo so assuming a 6-week release cycle, there is 8 weeks for us to update before the sec issues are publicly exploitable, assuming they are leaked/disclosed early.
diracdeltas
on 15 Jun 2020
@diracdeltas Thanks for the extra clarification and taking the time to respond!
flawedworld
on 16 Jun 2020
Related issues
lansana
路
3Comments
traffisco
路
3Comments
AlexCombas
路
3Comments
bbondy
路
3Comments
qingxiang-jia
路
3Comments
Most helpful comment
just wanted to say we recognize this is our fault and that it is a serious security concern. we aim for a maximum of 2 weeks lag from the chromium stable releases and usually can do it within a day or so. sorry that this one is going out 4 weeks behind.
FWIW chromium security issues have a 14-week embargo so assuming a 6-week release cycle, there is 8 weeks for us to update before the sec issues are publicly exploitable, assuming they are leaked/disclosed early.