While I'm a Firefox user, that's actually evidence to xtalh's point: that bug by itself is useless, because Chrome's sandbox meant that taking over the rendering process is not enough. They only managed to escape on Windows 7, thanks to another bug (in Windows itself - CVE-2019-0808).
Note that Firefox has a sandbox too (in fact, it shares a good bit of code with that of Chrome), and therefore a sandbox escape is necessary to elevate privileges.
(NB: I have no knowledge of the details of this specific bug.)
Leaving aside whether it makes sense to call something "useless" that was actually used in the wild, the original article specifically mentions (twice) that the Firefox RCE 0-day was also sandboxed and also only managed to escape thanks to another 0-day.
You almost make it sound like Chrome weren't written in C++, or that the typical Chrome install weren't hosted on a few 10s of millions of lines of C/C++
That's not what "attack surface" means. Firefox would have a smaller attack surface if it supported fewer file formats or protocols or such than Chrome.
> Why were Coinbase employees allowed to use Mozilla Firefox?
Nowhere in article it is said that any Coinbase employee was using Firefox. It only says that attack targeted Firefox, not that Coinbase employees use Firefox.
A better question would be: why were Coinbase employees allowed to use any browser with javascript enabled and outside of a VM? Qubes OS has been a thing for quite a while.
I've worked at a large traditional bank (market cap and enterprise value are both around 100b), they also allowed firefox as well as js, at least for developers (I don't know what it looked like for non developers).
It's this sort of attitude that makes sysadmins so incredibly popular among the masses.
Hint: if your environment feels like a concentration camp, users will find ways to work outside of it most of the time - which will be even more disastrous.
That's a fair point when literally hundreds of millions of dollars aren't on the line. It's not hard to properly secure your system from all manner of internet threats. There's no excuse for crypto exchanges not to implement such measures.
If hundreds of millions of dollars are one JS exploit away, the defense model is flawed. That sort of movement should require approvals from multiple people and even dedicated terminals that are not used for everyday browsing.
Security is a tradeoff; nuking browsers for everyone is just a bad tradeoff in 2019.
There are a million hypothetical security issues you could worry about. How would you weigh the risks of Javascript against the loss of basically all online productivity apps?
In the thread about this attack yesterday someone linked a paper about another attack against cryptocurrency researchers which did use a VM escape exploit [1], so if a cryptocurrency researcher is worth such an exploit, I'd say a company handling the kind of money Coinbase does is probably worthy as well.
