I’m reasonably new to FydeOS but having taken the plunge and bought an annual subscription for the Surface Pro 6, I am pretty worried about how out of date the browser is and just how many security vulnerabilities there are now.
Gemini reports 70+ high risk vulnerabilities between the latest Chromium browser version and the version FydeOS is using. What’s really very worrisome is that because FydeOS is a Chromebook replacement, the whole operating system IS the browser. Which makes the whole operating system vulnerable as well.
Is there something I am missing to fill that gap, or is FydeOS really just that vulnerable?
If the gap really exists and the browser is not going to be maintained properly or securely, then I’m going to have to request a refund and go back to Linux. In a world of AI automated hacking, it’s just not acceptable to have a browser and OS that is this out of date.
Actually, you could ask Gemini. There is a huge difference between Chromium OS and traditional Linux; it’s very restrictive, and users can’t do much at the system level. Therefore, it’s also very difficult to hack. The reason why running an outdated Chrome on other systems is unsafe has more to do with the inherent freedom of those systems themselves. Chromium OS is complained about by Linux users for being unable to do anything, which is precisely what creates its locked-down security. FydeOS should be following the Chrome OS LTS updates. The latest LTS version is currently 144, so it’s not considered so out dated.
Thanks for raising this. Your concern is completely understandable, especially if you are comparing the Chromium version number directly with desktop browsers.
Chromium running on Chromium OS based systems (ChromeOS / ChromiumOS / FydeOS) works quite differently from Chrome running on Windows, macOS, or Linux. On those platforms the browser is just another application on top of the operating system, while on Chromium OS the browser and the system are tightly integrated and protected by several platform level security mechanisms such as verified boot, read only system partitions, and strict sandboxing.
When Developer Mode is disabled, FydeOS is effectively locked down in the same way as ChromeOS. System files cannot be modified and the attack surface is significantly smaller than on a traditional desktop operating system.
The Chromium milestone number also does not tell the whole story. Even when a milestone stays on LTS for a longer period, we still ship maintenance updates that address relevant security issues in Chromium and its platform dependencies. We also have a dedicated security team that continuously tracks vulnerabilities and evaluates whether they are applicable to the FydeOS platform.
Because of the architectural differences, many CVEs reported for desktop Chromium builds are either not applicable to Chromium OS environments or are already mitigated at the platform level.
So while automated tools or AI summaries may report a large gap in version numbers, that does not directly translate into the system being vulnerable. Security maintenance is something we take very seriously. If there are specific CVEs you are worried about, feel free to share them and we can take a closer look.
Thanks to the support team. I really appreciate the explanation in the differences between Chrome as a browser on other OS, and Chrome as ChromeOS. And obviously using AI is an amazing too, but we should always quantify its answers, which is exactly what I was looking to do in this post.
Looking at ChromeOS, the versions do seem to align with the Chrome browser versions, which means CVE’s addressed in one are addressed in the other. The issue I have is that based on cyber security standards and policies which we need to adhere to, Chromium 144 is considered out of date by 2 major release versions. Which means that it automatically fails the threshold test for Cyber Essentials (as a simple adopted standard by most UK businesses). This can be mitigated in an audit using the “no fix from vendor” position. But for most businesses browsers which are seen as out of date are a massive red flag.
Although I use Linux on multiple other devices (and also have MacOS devices too) I wanted to move away on my Surface Pro and make use of the lighter OS for travel rather than use as a daily driver. For that FydeOS seems almost perfect for me, which is why I am reluctant to move away from it.
For me personally, I am introducing a new OS into the work environment. And although I have enough confidence and understanding for my own personal requirement thresholds, I’m not sure that translates into the business environment.
With that in mind, I’ll spend some more time reviewing how valuable the Surface Pro 6 with FydeOS is to me for purely non-business activities. If I find I am not using the device anymore, then I’ll reluctantly request a refund and move to another OS. Which I honestly do not want to do.