Google has apparently been mogged into rewriting the jpegxl reference library in rust to make it more “secure” so that it can be used in browsers (apparently the reason they refuse to put it in chrome, and the reason firefox devs cite) (never mind the fact that this apparently didn’t stop Apple) we can only hope they actually finish the damn thing…
To be fair, this isn’t just happening out of the blue. Apple had a bunch of zero day, no click vulnerabilities from its media decoders, which were some of the original Pegasus vectors. Complex media rendering is a very legitimate security concern, particularly in the browser space on general purpose machines. IDK if doing a full RUST implementation is the right answer, but the idea of not wanting to add a massive potential attack vector for redundant functionality is not completely insane.
Google has apparently been mogged into rewriting the jpegxl reference library in rust to make it more “secure” so that it can be used in browsers (apparently the reason they refuse to put it in chrome, and the reason firefox devs cite) (never mind the fact that this apparently didn’t stop Apple) we can only hope they actually finish the damn thing…
To be fair, this isn’t just happening out of the blue. Apple had a bunch of zero day, no click vulnerabilities from its media decoders, which were some of the original Pegasus vectors. Complex media rendering is a very legitimate security concern, particularly in the browser space on general purpose machines. IDK if doing a full RUST implementation is the right answer, but the idea of not wanting to add a massive potential attack vector for redundant functionality is not completely insane.