Decoupling the browser from the OS is one of the best things that could happen for android security going forward. While it won't help people who can't get upgrades to ICS, at least it will solve the future problems of people who get stuck on 4.x while their OS browser slowly becomes more and more exploitable. I have one phone that is still on 2.2 - it is trivially easy to own the phone with a little bit of javascript on any web page.
Probably automatic, like all their other apps on Android. But you should be able to easily turn that off just like with all the other apps in the Market.
I think only the market is automatically updated, everything else is opt-in like 3rd party apps, but you can now set your default to be auto-update, unless permissions change.
Opera Mobile is awesome. It feels so much faster than the stock browser. I recommend it to anyone stuck on 2.2/2.3 for the foreseeable future (like me).
The real problem here is Android's inability to update what are considered 'OS components' independently of updating the OS. Ideally, the built-in browser (which should really just be Chrome) can be updated just like other apps can. Having a built-in browser and also Chrome for Android seems like it would confuse users, and not have the desired security impact you describe because it needs users to search for, install the browser and use it instead of the built-in version.
Google can update apps independently of the OS. Youtube, Gmail, Maps, Market - are all updated independently of the OS ever since Froyo.
They will eventually replace the stock browser with Chrome, but they're waiting until it's not beta anymore, and until ICS has bigger marketshare, or maybe they'll just make it the default browser starting with Android 5.0.
Nothing is stopping you from using another browser right now.
There are not that many browsers to choose from, but you could for instance download Opera Mobile - the next time you open a link you will be asked which browser you want to use. You should also be able to replace the browser on your home screen, although how easy it is might depend on what kind of launcher you have.
Exploit needs to be able to determine the exact path + filename of any file to be stolen.
The securityfocus.com entry referenced above includes a demo script implementing the exploit if you want to see the details.
Just wrap the XHR requests to the local URIs in a try/catch and go fishing for filenames of interest within standard directories.
As mentioned in Cannon's original article, photos would be an easy target given the common location plus filename format for the jpg files
(e.g., /sdcard/DCIM/Camera/IMG_yyyymmdd_hhmmss.jpg). Another interesting directory to poke around in would be /sdcard/Android/data/com.dropbox.android/files/scratch/.
I tweaked the demo script a bit and was able to steal my own dropbox files and photos on my junky little LG Optimus V on Android 2.2.1. Good Times.
Decoupling the browser from the OS is one of the best things that could happen for android security going forward.
Decoupling everything but the most rudimentary services is the best way forward for both security and user satisfaction. Despite the laser focus on the underlying operating system version by so many, tens of millions of Android users, across makes, models, and carriers, are seeing endless updates of mapping and navigation, the search functionality, the mail applications, the Android market, and so on. Decoupling the browser adds it into the bin of "no longer need to care about the underlying OS much", and goes a long way to make the fragmentation issue a non-issue.
If the core services are going to be different then the fragmentation is still a problem for app developers. May be not so much for the end users but I guess the end users don't care as much.
Not everyone will update frequently or would want things to get updated for them without them knowing it. Certainly not the non-techy users. This makes it a pain to account for all different versions of browsers, OS, resolution and other functionality a pain.
