How dangerous are browser exploits really?

I see that people here are really obsessed with keeping browsers up to date for the purpose of security. I never really considered this to be a big deal because as far as im aware not much can be done by a malicious actor through just your browser. I have always thought that as long as you don't download and run unknown executables, its impossible for anything bad to happen these days. But seeing how obsessive some of you are with keeping browsers up to date that has gotten me thinking, is there something im not aware of?

Attached: 1557129093436.gif (909x890, 456K)

Other urls found in this thread:

youtube.com/watch?v=71YP65UANP0
twitter.com/NSFWRedditImage

Generally if you use Chrome, nothing bad will happen, very rarely there is a 0-day exploit that can do real damage that isn't patched out before it's even released to the public. Most exploits that do exist have severe limitations like how much data you can pass through etc which make them useless for most purposes, and with OS-level protection on up-to-date Linux distros and Windows even if an exploit can execute arbitrary code, it will be further limited by that. Hence why social engineering attacks and scams have been so much more common in the past five or so years compared to before, getting the user to type in their credentials on a phishing site or download an executable that executes the payload is much more common. I have never in recent times for example heard of an exploit that steals stored passwords in the browser or establishes an admin-privilege TCP shell on the machine.

But it's not impossible. Jow Forums is just extreme.
That said, there is some software that you should always keep as up to date as possible, for example any servers like apache, databases and generally enterprise grade programs and those that listen for connections, as well as those that are poorly maintained like mIRC for example as these will generally have a much higher return-on-investment for black hat hackers as they are used by bigger fish, most exploits nowadays will be targeting those systems, and even then, most times corporations get hacked, it's social engineering, like a malicious attachment, etc.
You're honestly much better off improving your safety while browsing by just being wary, checking URLs of links you click, using uBlock/noScript/uMatrix/HTTPS Everywhere and such and make sure to keep an eye out for any suspicious extension updates and don't use public WiFi as HTTPS is still very susceptible to various MiTM attacks and you'd be surprised how many people like to play Mr.Robot IRL in [university name]'s STEM campus starbucks.

Very, browsers are probably the most commonly deployed software facing the internet. One exploit can hit millions of people, shotgun approach has guaranteed results.

Chrome is sandboxed, so likely nothing will happen.

Firefox, however, is a security nightmare. It really can affect your entire computer solely by visiting a website. It's insane.

See game consoles hacked via browser

Depends how exploitable but it could be apocalyptic.

Attached: zerodium_prices.png (824x688, 71K)

True, but game console browsers aren't anything like normal browsers since they're often not updated for years and get payloads specific to hardware.

Use Smart HTTPS instead.

No, HTTPS Everywhere.

What about mobile? Do those things still apply?

using NoScript and iMatrix together is redundant and most likely counterproductive

There's sandbox escapes every year, firefox has been sandboxing for a while now.

Noscript actually does handle some specific things like clickjacking and local address forwarding things. It's still scammy as fuck though.

Firefox is sandboxed. Has been for a few years now.
Of course, sandbox escapes are hardly uncommon these days.

>noscript is scammy
wait noscript is bad now? why?

If some retarded shitposter on the internet can convince you in one poorly written post that your security measures are bad, you never had a good grasp of your security anyway and you should give up on life.

It just whitelists some other shit and re-enables them when updating, also at some point he had some really shady ads on the site (which opens automatically on updates) and it was a whole mess a long time ago when you were a baby.

do you enjoy your freedom?
i don't mean freedom like software freedom, i mean freedom like not sitting in prison freedom.
possession of child pornography is a crime.
so, all you have to do to be guilty is have child pornography on your computer somewhere. somewhere that you may not even know about, like a boot sector.
so, using a few tools, to deprive you of freedom, all one has to do is place child pornography somewhere on your computer and you are automatically guilty of a crime that deprives you of freedom.
1) place files on your computer
2) call the police with an anonymous tip
that's it. you're done.
guilty. do not pass go, do not collect $200. you are going to prison for child pornography.
how long do you think you would last?
and, what did you actually do? nothing. someone else did it to you.
tldr: UPDATE YOUR FRIGGIN BROWSER.

You're projecting. I just asked him to explain himself to see why he thinks that. what are "shady ads"?
>was a whole mess a long time ago when you were a baby.
im probably older than you

>You're projecting.
You're a dumbass.

Shady like serving malware ads. Noscript man probably had nothing to do with it directly but that's why you have to block all ads ever and disable any whitelists.

imagine running software transmitted to you across a non-secure connection from any random source.
that's what the modern web is. it's not markup for presentation of information anymore.

>reads something thats not there
>gets corrected
>"waaaah ur dumb :("
lol

i had a acrobat reader pdf-in-browser exploit get me once. really fucked my shit up.

this was before pdf.js... fuck adobe and acrobat.

Wait, I'm dumb? I didn't know.
Care to explain why?
Now that you've gone into full shitposting mode I can finally accept anything you say as truth.

that part was you

chrome and firefox are open to security issues.

security through rarity is an option. e.g. using a 10 year old outdated opera 12.18 because it never uses more than 300mb ram and is pretty fucking fast.

best option is to use an android virtual machine and route all of your browser use through android version of firefox or chrome. if your vm gets toast no worries just reset it to original or unzip a fresh copy.

anyone who says chrome is safe has never used it without ublock. so many browser hijacks over the years. firefox too. nothing is safe. can only mitigate disaster. bsd/linux is better than windows, and a virtual machine is better than bsd/linux/windows because in general, people dont do virtual machine exploits on top of browser exploits.

Ah, thanks for the info. I literally haven't used it in years because it wasn't.

My fault for not clarifying. Not saying simply and solely because it's sandboxed that it guarantees security. But it is an important measure imo

Yes, though i'm not sure of how bad it is on iOS. Here's an example of an old exploit on android devices: youtube.com/watch?v=71YP65UANP0

(While that exploit is old, android is notorious for phone manufacturers not properly patching old phones. So it is still possible for old phones to still be vulnerable)

Definitely don't do the old version thing. Old vulns are never rare, they're automated.

There is an importance scale for how important it is to keep software up to date, and web browsers are at the most important end of that scale. You regularly connect (either on purpose or on accident) to untrustworthy remote servers, and the protocols and standards involved in rendering a webpage are incredibly complicated and involve lots of possibly-insecure third party dependencies.