Page 1 of 2
Chrome zero-day vulnerabilities
Posted: Sat Apr 17, 2021 5:03 pm
by renab
Hi,
Does CEF4Delphi need to be updated due to the recent Chrome zero-day vulnerabilities that were exposed?
Re: Chrome zero-day vulnerabilities
Posted: Sat Apr 17, 2021 6:16 pm
by salvadordf
Hi,
Chromium has security fixes frequently and the CEF project is updated almost at the same frequency.
CEF4Delphi is also updated to use the latest CEF version which includes the latest Chromium version with the latest features and fixes.
At this moment, CEF4Delphi uses CEF 89 but I'll release a new update with CEF 90 as soon as I fix an issue with some demos.
Re: Chrome zero-day vulnerabilities
Posted: Mon Apr 19, 2021 12:36 pm
by renab
Ok great thank you. How can I get notifications when updates to CEF4Delphi are published? I thought I had my notification preferences set correctly but I want to make sure.
Re: Chrome zero-day vulnerabilities
Posted: Mon Apr 19, 2021 12:42 pm
by salvadordf
CEF4Delphi with CEF 90 was released yesterday.
You can click on the Watch button in the project page at GitHub.
https://github.com/salvadordf/CEF4Delphi
You can also subscribe to the forum thread were all CEF4Delphi updates are announced :
https://www.briskbard.com/forum/viewtopic.php?f=8&t=1565
Re: Chrome zero-day vulnerabilities
Posted: Mon Apr 19, 2021 9:01 pm
by renab
Ok great thanks so much.
I notice in the documentation it mentions that cef_sandbox.lib and libcef.lib can be omitted from the application directory when deploying -- why is that?
Re: Chrome zero-day vulnerabilities
Posted: Tue Apr 20, 2021 8:22 am
by salvadordf
The LIB files are used in C/C++ applications and according to most of the search results, they can't be used in Delphi.
https://stackoverflow.com/questions/8588279/use-lib-file-in-delphi-how-to-import-lib-file
Perhaps you can extract the object files from the lib files and link them from Delphi but I've never tried that.
http://rvelthuis.de/articles/articles-cobjs.html
Re: Chrome zero-day vulnerabilities
Posted: Tue Apr 20, 2021 11:15 am
by renab
OK thanks. I was just concerned if cef_sandbox.lib "can't be used in Delphi" that meant that CEF browsers in Delphi don't have Chromium's built in sandbox security feature?
Re: Chrome zero-day vulnerabilities
Posted: Tue Apr 20, 2021 12:26 pm
by salvadordf
That's sadly correct.
The sandbox is disabled in Delphi and Lazarus because we can't link cef_sandbox.lib.
Re: Chrome zero-day vulnerabilities
Posted: Tue Apr 20, 2021 1:19 pm
by renab
Ok - yeah that's a bummer. It makes it more urgent then that we keep our applications current with the latest versions of CEF/Chromium if we don't really have that fail safe. Good to know thanks.
Re: Chrome zero-day vulnerabilities
Posted: Tue Apr 20, 2021 6:13 pm
by thefunkyjoint
renab wrote: ↑Mon Apr 19, 2021 9:01 pm
Ok great thanks so much.
I notice in the documentation it mentions that cef_sandbox.lib and libcef.lib can be omitted from the application directory when deploying -- why is that?
Is this true ? I don't need to deploy these two files with my app ? This would be 66MB less in the package !
