In many cases, you'd need to escape the browser before exploiting the OS itself. Security is not an all or nothing, layers and layers are effective at mitigating or increasing the time it takes for exploit to work. For instance ASLR is absolutely not a bulletproof solution, but many exploits are order of magnitude more complex to execute when enabled.
In addition to that, the browser is executing third-party code all the time while making it a good point of entry.
My remark was a little more abstract and frankly, absurd though.
I mean, the most memory safe language will invoke syscalls. It will ask for memory pages and stuff. If we assume the app is running on a pile of shit because the OS is written in C, how can we be sure that the language is memory safe?
I understand the value of memory safe languages but people bashing on C/C++ code does not make sense to me when everything is essentially running on C. That’s all.
> In addition to that, the browser is executing third-party code all the time while making it a good point of entry.
This made me curious about something. Has there been many exploits stemming from JavaScript engines? I honestly do not know but as far as I can tell, most of the issues originate from faulty image decoders screwing up memory and tls implementations etc.
In addition to that, the browser is executing third-party code all the time while making it a good point of entry.