Older browsers have their vulnerabilities published along with descriptions of the fixes. Some of those include execution of code vulnerabilities ... so a hacker knows where to focus their efforts to potentially exploit anyone who is running a older/unpatched browser. Outbound internet traffic is rarely monitored as are the returns from those outbound requests, so if a breach can install into memory even a small module that simply loops send-requests to the hackers IP and execute whatever command is returned, the hacker in effect has bypassed the firewall. Something like exit-root is just one of the things that might be tried, along with a barrage of others such as scanning around the LAN to see what other devices/systems might be available to have persistent code installed. Imagine a browser flaw that enabled installation into memory of a wget file from hacker site, execute that file in background ... looping type script sending the standard and error outputs out as further http requests ...BarryK wrote:If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.
I strive to change my user-agent as revealing your browser version and operating system is a great aid in assisting towards targeted exploits. Faking your user-agent can vastly reduce the chances of a initial penetration (wrong exploits/code that wont work thrown at you). Only running root at the console (not under X) is yet another risk reduction choice. The entire 'nix file structure and permissions are geared to security utmost in mind. As are other barriers such as W^X (write exclusive or execute i.e. memory space restricted to being write only or execute only, not both), randomisation (so the structure of memory space changes rather than following a consistent pattern), Pledge (applications assigned sets of things that they are permitted to do, but prevented from accessing command/files outside of that) ...etc.
Security isn't just your data/PC, but anyone and anything else sharing the same LAN.