Yes, that is the jist of the last sentence. However that was clearly not the message the bulk of the post was intending to express:
He [Charlie Miller] did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their 'sandbox' makes it extremely difficult to exploit
Two hikers are running from a grizzly. One of them asks, "Do you really think we can outrun the bear?" The other says, "No, but I think I can outrun you!"
It would still take two successive holes to exploit - one to get in, another to get out of the Chrome sandbox. And only 7% of users use Chrome, while 56% users use Firefox (my own web site statistics today ) - If I wanted to do something malicious, I'd get a lot better bang for the bug with Firefox.
The Hack-ability tends to be directly proportional to it's popularity. Nothing has been ever built that was 100% secure (if you did, more power to you). My point is, the the more popular something gets, more minds will be focused on it to break it, and more information be available publicly regarding possible attack vectors, and eventually it will break.
Chrome is a new player, people haven't had much time to play with it, or the motivation to since it doesn't have as much market share at the moment.
I think Chrome and IE are both on track to become proved-secure. I think they are both close to being able to use automatic tools to prove that malware cannot get out of the sandbox without an operating-system exploit.
Microsoft seems to be working on a provably-secure micro-kernel for Windows. In a few years they will be able to legitamately claim that privilege escalation is literally impossible without the user's consent. That is such a big and expensive task that I'm not sure their mainstream competitors will be able to match that claim in any reasonable time frame (except maybe Symbian, because it already has a micro-kernel architecture).
After that, security on Windows will be all about UI. How can we prevent programs from tricking the user into letting them do something bad. How can we prevent programs from doing bad things without the user knowing? How can the user be sure that a program will not violate his privacy? How can the user be sure that a program won't cause data loss?
How can the user be sure that a program won't cause data loss?
An easy way to do it: never delete anything. This isn't too different than my OS X setup at home with Time Machine. I have exceptions set up for things like my VirtualBox images and movies. A more advanced system that can keep deltas of binary data would be even better. A solution designed for the clueless end-user would have some sort of function that would automatically keep less frequent backups for larger files.
Run out of room? The salesperson talks you into a hard-drive upgrade. HP, Dell, and Apple would be happy about this!
More accurately, never completely delete anything. The system would always keep around at least one version of everything. Yes, this would mean that secure delete is impossible, but this sort of system is for the casual home user. If you need secure delete, use a different system. If you are doing esoteric things with lots of large files, use a different system.
That is very similar to what Windows Vista does with "Previous Versions", except "Previous Versions" automatically gets rid of old versions when disk space gets low.
Chrome is process-per-tab; there's architecturally almost no shared state between two different render contexts. Contrast that with Firefox, where there's a application-layer permeable membrane connecting content-driven code to browser core state.
I understand how process-per-tab protects against cross-domain attacks. In protecting against cross-domain attacks, Chrome's architecture is safer than IE's since IE will often put multiple tabs in the same process. But, I don't think the number of tabs per process has an effect in the ability to prevent exploits of the local system.
The feature of Chrome and IE Protected Mode that protects against local expoits is basically the same. There is a "main" process that has access to the local system (files, registry, other processes). And, there are some "sandboxed" processes that do not have access to the local system except for a communication channel to the main process. Any time these browsers interpret some input from the internet, they do so only in the sandboxed processes. The only way a sandboxed process can access local resources is by asking the main process to give it the local resource through the communication channel. The main process asks the user to approve the request before accessing the local resource on behalf of the sandboxed process. As long as the main process implements its side of this communication channel correctly, there is no way for malicious web content to break out of the sandbox. That is the case whether there is one tab per process or more than one tab per process.
Vista Protected Mode (IIRC, it only works on Vista, because of XP's session security flaw) is like privsep SSH. It's primary job is to keep malware from persisting.
On Windows, my understanding is that Chrome Sandboxes do the same thing. But what the process-per-tab model is most notable for is defending against cross-domain attacks. Which, if you ask me --- and I'm a Microsoft booster --- is the more important threat model. Browser-resident malware is where we're headed.
