Disclosure Statement: This site contains affiliate links, which means that I may receive a commission if you make a purchase using these links. As an eBay Partner, I earn from qualifying purchases.

Chrome zero-day vulnerabilities

renab
Posts: 8
Joined: Wed Jun 17, 2020 4:00 pm

Chrome zero-day vulnerabilities

Post by renab »

Hi,

Does CEF4Delphi need to be updated due to the recent Chrome zero-day vulnerabilities that were exposed?
User avatar
salvadordf
Posts: 4016
Joined: Thu Feb 02, 2017 12:24 pm
Location: Spain
Contact:

Re: Chrome zero-day vulnerabilities

Post by salvadordf »

Hi,

Chromium has security fixes frequently and the CEF project is updated almost at the same frequency.
CEF4Delphi is also updated to use the latest CEF version which includes the latest Chromium version with the latest features and fixes.

At this moment, CEF4Delphi uses CEF 89 but I'll release a new update with CEF 90 as soon as I fix an issue with some demos.
renab
Posts: 8
Joined: Wed Jun 17, 2020 4:00 pm

Re: Chrome zero-day vulnerabilities

Post by renab »

Ok great thank you. How can I get notifications when updates to CEF4Delphi are published? I thought I had my notification preferences set correctly but I want to make sure.
User avatar
salvadordf
Posts: 4016
Joined: Thu Feb 02, 2017 12:24 pm
Location: Spain
Contact:

Re: Chrome zero-day vulnerabilities

Post by salvadordf »

CEF4Delphi with CEF 90 was released yesterday.

You can click on the Watch button in the project page at GitHub.
https://github.com/salvadordf/CEF4Delphi

You can also subscribe to the forum thread were all CEF4Delphi updates are announced :
https://www.briskbard.com/forum/viewtopic.php?f=8&t=1565
renab
Posts: 8
Joined: Wed Jun 17, 2020 4:00 pm

Re: Chrome zero-day vulnerabilities

Post by renab »

Ok great thanks so much.

I notice in the documentation it mentions that cef_sandbox.lib and libcef.lib can be omitted from the application directory when deploying -- why is that?
User avatar
salvadordf
Posts: 4016
Joined: Thu Feb 02, 2017 12:24 pm
Location: Spain
Contact:

Re: Chrome zero-day vulnerabilities

Post by salvadordf »

The LIB files are used in C/C++ applications and according to most of the search results, they can't be used in Delphi.
https://stackoverflow.com/questions/8588279/use-lib-file-in-delphi-how-to-import-lib-file

Perhaps you can extract the object files from the lib files and link them from Delphi but I've never tried that.
http://rvelthuis.de/articles/articles-cobjs.html
renab
Posts: 8
Joined: Wed Jun 17, 2020 4:00 pm

Re: Chrome zero-day vulnerabilities

Post by renab »

OK thanks. I was just concerned if cef_sandbox.lib "can't be used in Delphi" that meant that CEF browsers in Delphi don't have Chromium's built in sandbox security feature?
User avatar
salvadordf
Posts: 4016
Joined: Thu Feb 02, 2017 12:24 pm
Location: Spain
Contact:

Re: Chrome zero-day vulnerabilities

Post by salvadordf »

That's sadly correct.

The sandbox is disabled in Delphi and Lazarus because we can't link cef_sandbox.lib.
renab
Posts: 8
Joined: Wed Jun 17, 2020 4:00 pm

Re: Chrome zero-day vulnerabilities

Post by renab »

Ok - yeah that's a bummer. It makes it more urgent then that we keep our applications current with the latest versions of CEF/Chromium if we don't really have that fail safe. Good to know thanks.
thefunkyjoint
Posts: 458
Joined: Thu Aug 10, 2017 12:40 pm

Re: Chrome zero-day vulnerabilities

Post by thefunkyjoint »

renab wrote: Mon Apr 19, 2021 9:01 pm Ok great thanks so much.

I notice in the documentation it mentions that cef_sandbox.lib and libcef.lib can be omitted from the application directory when deploying -- why is that?
Is this true ? I don't need to deploy these two files with my app ? This would be 66MB less in the package ! :shock:
Post Reply