"Known exploited" vulnerability in Chrome and Chromium. Be sure to update, when you can.

[-]

Mr_Lumbergh@reddit

I'll just keep avoiding Chrome entirely, problem solved.

[-]

professional_oxy@reddit

hate to break it to you, but also firefox gets regularly exploited

[-]

we_are_mammals@reddit (OP)

Number of CVEs with CVSS scores 7 or higher, in 2025, all OSes.

Firefox ESR: 10
Firefox: 45
Chrome: 49

(The vast majority are not "known exploited")

I'm not confident enough to say that this means that Firefox ESR is the safest choice among them. What do serious security researchers (not anonymous redditors) think, I wonder? Has anyone gone on record to say that Firefox ESR is much safer than Chrome?

[-]

Fs0i@reddit

Has anyone gone on record to say that Firefox ESR is much safer than Chrome?

Honest guess: less people look at it, because it's less used.

[-]

ipaqmaster@reddit

Yep. It's the same reason IE6 was the most malware ridden piece of shit in the early 2000s. Explicitly because it was the most popular one. People were looking to exploit against "The most users" so it was the obvious target for a lot of malicious behavior.

[-]

necrophcodr@reddit

Well it was also just really easy to exploit with all the insecure plugins people installed.

[-]

ipaqmaster@reddit

yea 😃

[-]

ukezi@reddit

Or because it's an extended support release, less new features means less new code that can be exploited. Everything that was a CVE in Firefox ESR was also in Firefox.

[-]

dve-@reddit

Oh. And I was wondering how a slow release can have less open exploits. It's a bit counter intuitive if they don't update it as often.

[-]

we_are_mammals@reddit (OP)

was wondering how a slow release can have less open exploits

Old code gets fixed. New code with new bugs is not allowed to come in. Debian works the same way. That's the theory, anyway.

[-]

BrodatyBear@reddit

They get security updates pretty regularly.

One thing that really can make a significant difference is that they don't get new features that fast, so they can be tested and potentially exploited in the normal release before they come to ESR.

[-]

notenglishwobbly@reddit

Never tell that to a Linux user.

Now going to have a mix of Linux users telling me that "android is linux so linux has won" and "no it's only because Linux is just so strong and hot, not because no one uses it" and "Linux is NEVER Android which has more holes than swiss cheese but Linux does not (somehow)".

[-]

StarChildEve@reddit

Linux IS strong, and hot… so, so hot… and such a good, caring lover, too…

[-]

Technical_Strike_356@reddit

Just because less vulnerabilities were found doesn't mean less exist. Firefox's security model is objectively less hardened than Chrome's.

[-]

we_are_mammals@reddit (OP)

Just don't ask the same researcher what he thinks about Linux desktops.

[-]

BlueCannonBall@reddit

Well, they're right about [Linux desktops](https://madaidans-insecurities.github.io/linux.html) too.

[-]

yawkat@reddit

Another indicator in this space is zero day pricing, and that shows Firefox exploits to be substantially cheaper than chrome. https://www.crowdfense.com/exploit-acquisition-program/

[-]

we_are_mammals@reddit (OP)

Chrome has 66% of the browser market. Firefox - only 2.5%.

It could be that they are only offering $300K for Firefox exploits (because no one wants them), but at that price, there might be no sellers, because exploiting Chrome pays a lot more.

Without info on how many exploits are actually sold, it's hard to make sense of those prices.

[-]

we_are_mammals@reddit (OP)

Yes, this is probably the most informative metric. I wonder how much ESR exploits go for.

[-]

AaTube@reddit

What about Chrome ESR?

[-]

Delicious-Isopod5483@reddit

esr?

[-]

Mr_Lumbergh@reddit

Extra Slow Revision

[-]

fbender@reddit

Extended support release, targeted for enterprise deployments that cannot/will not ride the 6-week release train of mainline Firefox. Will get upgraded to mainline roughly once a year and otherwise only receives security and critical correctness fixes.

[-]

C0rn3j@reddit

Unless you use Firefox, you're using something based on Chromium, which is affected.

[-]

jesster114@reddit

Didn’t realize that Lynx was based off Chromium /s

[-]

lazyboy76@reddit

Wget for me, yay.

[-]

anxiousvater@reddit

I use lynx. A more mordern tool 🔥.

[-]

Lost_Magazine8976@reddit

Wget? How entitled. I use telnet.

[-]

No_Hovercraft_2643@reddit

i wouldn't count wget and curl as browsers

[-]

Jonno_FTW@reddit

You'd need to pipe the output to less first.

[-]

devslashnope@reddit

Because less is more. Or, at least, more better than more.

[-]

studog-reddit@reddit

Moar less!

[-]

cryptospartan@reddit

I think he just forgot the /s lmao

[-]

Fs0i@reddit

You and the three other Lynx users can rejoice

[-]

studog-reddit@reddit

RIP Opera(presto).

[-]

notenglishwobbly@reddit

Don't even know what Konqueror is based on, but I'm going to act smug anyway.

[-]

GenBlob@reddit

That's qtwebengine which is a stripped down chromium fork, sadly.

[-]

Mr_Lumbergh@reddit

Which I'm doing, so...

[-]

Dramatic_Mastodon_93@reddit

maybe they use gnome web /s

[-]

not_some_username@reddit

You can’t. Lot of app are using the chromium engine

[-]

No_Hovercraft_2643@reddit

you can, there is also gecko, the engine of Firefox, and things like ladybird and lynx.

also safari uses it's own engine

[-]

Maykey@reddit

Is there gecko based quitebrowser? I don't want chrome baser as chrome drops manifest 2 therefore derived browsers will have to fight against the original or drop it too

[-]

not_some_username@reddit

I’m not talking about browsers I’m talking about electron apps. I’m using Firefox.

[-]

No_Hovercraft_2643@reddit

i think you should have written that in your comment.

[-]

not_some_username@reddit

yeah i guess

[-]

ymmvxd@reddit

The fix is included in 138.0.7204.92 on Linux

The version in the screenshot applies to WINDOWS

[-]

anxiousvater@reddit

If you take out that 7 from 7204, it's a proper public IP.

[-]

Dist__@reddit

i'm curious, do google managers shout at the team when such things get revealed?

[-]

DribblingGiraffe@reddit

They actually use a firing squad to eliminate the problem

[-]

JockstrapCummies@reddit

firing squad

That was the Larry Page era. With Pichai they've modernised to execution by smearing you with honey and then lowering you to a den of starving gophers instead.

[-]

perkited@reddit

Microsoft is much more humane, just some sharp sticks jammed under their fingernails. Mozilla tends to motivate their devs by splashing boiling oil in their faces.

[-]

markswam@reddit

Yelling at the dev team isn't going to make a lick of difference in terms of preventing future vulnerabilities. All it will do is hurt team morale, which in turn will lead to people either checking out (creating complacency) or leaving entirely (creating churn), both of which will cause further issues down the road.

People by and large don't respond well to negative reinforcement. Any management structure that defaults to that is a bad management structure.

Bugs happen. Testing won't catch everything. Most of the time they're treated like a learning experience and the teams just fix them and move on.

[-]

flyhmstr@reddit

If they do they’re bad managers

Do a proper analysis of why the fault happened and how it escaped code review and testing, close those gaps

[-]

james_pic@reddit

It's also worth noting that exploits in Chromium are rarely simple mistakes. It's not like a junior developer vibe coding an SQL injection vulnerability. This will have been introduced as part of a complex change to a complex piece of code by someone who has a lot of experience making these sorts of changes, who knows about this sort of issue and was trying very hard to avoid it.

[-]

DrCatrame@reddit

> i'm curious, do google managers shout at the team when such things get revealed?

They get physically punished and this will make it possible to find more and more bugs (/s?)

[-]

SampleByte@reddit

Brave did immediately

2025-07-01 19:41:17 | Brave | 1.80.115-1 | Chromium 138.0.7204.97

[-]

frymaster@reddit

ditto Edge https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#july-1-2025

July 1, 2025 - Microsoft has released the latest Microsoft Edge Stable Channel (Version 138.0.3351.65), which incorporates the latest Security Updates of the Chromium project. This update contains a fix for CVE-2025-6554 ...

[-]

whlthingofcandybeans@reddit

Don't "update", uninstall.

[-]

slroa@reddit

yeah nothing new, just download firefox

[-]

Gugalcrom123@reddit

Mozilla is incredibly shady. I just use no-name Chromium builds.

[-]

slroa@reddit

What exactly makes firefox shady? never heard about that before.

I just use no-name Chromium builds.

Like brave browser?

[-]

dmoc_official@reddit

Ungoogled chromium is where it's at. Apart from sync. Only thing I miss from a big name browser is sync

[-]

KwyjiboTheGringo@reddit

Apart from sync. Only thing I miss from a big name browser is sync

That's so funny, because I remember sync being the reason I switched to Chromium a while back. Maybe it's better now, but it was both annoying and concerning.

[-]

Gugalcrom123@reddit

Exactly, except I do not miss sync.

[-]

Gugalcrom123@reddit

Introducing TOS, promotion of services such as Pocket, AI

[-]

slroa@reddit

No idea why you're getting downvoted I literally just asked you to explain on what you said. But hey it’s Reddit.

[-]

Shap6@reddit

Probably because none of those things are shady that they nentioned

[-]

Gugalcrom123@reddit

BTW, I do not consider Brave no-name as it has a commercial entity behind. What I consider no-name is plain Chromium, Ungoogled Chromium, Cromite and some others.

[-]