Mozilla confirms this bug is exploitable. I am making sure JavaScript is
off by default and only enabled in pages where I want it to.
https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/
On Fri, Jan 5, 2018 at 1:36 AM, der.hans <
PLUGd@lufthans.com> wrote:
> Am 05. Jan, 2018 schwätzte Herminio Hernandez, Jr. so:
>
> moin moin,
>
> Yeah, JavaScript's annoying. I've been using NoScript to block it outright
> for years. I only allow certain sites to have JavaScript. Some of those
> sites only get JavaScript when I'm trying to checkout. Some get their own
> browser instance before I allow them to have JavaScript.
>
> Recently JavaScript has been used to do bitcoin mining via web browsers
> and it's had several security issues over the years.
>
> It can't escape the sandbox if it never runs :).
>
> ciao,
>
> der.hans
>
>
> Damn Stallman was right again
>>
>> https://www.gnu.org/philosophy/po/javascript-trap.ja-en.html
>>
>> On Thu, Jan 4, 2018 at 10:52 PM, Andrew McRobb <andrewmcrobb@gmail.com>
>> wrote:
>>
>> JavaScript being the Raccoon? heh
>>>
>>> Andrew McRobb
>>> Full-time Software Developer
>>> Part-time Freelancer
>>> mcrobb.info
>>>
>>> On Thu, Jan 4, 2018 at 8:46 PM, Ed <plug@0x1b.com> wrote:
>>>
>>> More like raccoons to oranges...
>>>> 8)
>>>>
>>>> On Thu, Jan 4, 2018 at 4:59 PM, der.hans <PLUGd@lufthans.com> wrote:
>>>>
>>>>> Am 04. Jan, 2018 schwätzte Andrew McRobb so:
>>>>>
>>>>> moin moin Andrew,
>>>>>
>>>>> cool, sounds like having umatrix or NoScript blocking javascript is
>>>>>
>>>> still
>>>>
>>>>> sufficient.
>>>>>
>>>>> Need to make sure <script> is blocked as well as the external JS.
>>>>>
>>>>> https://www.w3schools.com/html/html_scripts.asp
>>>>>
>>>>> ciao,
>>>>>
>>>>> der.hans
>>>>>
>>>>> No, HTML5 is a markup at the end of the day. Comparing JS and HTML, is
>>>>>> like
>>>>>> comparing apples to oranges. All HTML5 does is include new tags to use
>>>>>> when
>>>>>> building a web app for you or search engines to use:
>>>>>> https://www.w3schools.com/html/html5_intro.asp. It doesn't at all
>>>>>>
>>>>> handle
>>>>
>>>>> any logic like JS would, if that's what you are asking.
>>>>>>
>>>>>> Same can almost go for CSS. It's a description language, it doesn't
>>>>>>
>>>>> handle
>>>>
>>>>> any logic (except for select queries). However, CSS is starting to
>>>>>> implement variables, but you can only use those for *attributes*. Not
>>>>>> write
>>>>>>
>>>>>> a fully functional app with CSS alone.
>>>>>>
>>>>>> Andrew McRobb
>>>>>> Full-time Software Developer
>>>>>> Part-time Freelancer
>>>>>> mcrobb.info
>>>>>>
>>>>>> On Thu, Jan 4, 2018 at 10:21 AM, der.hans <PLUGd@lufthans.com> wrote:
>>>>>>
>>>>>> moin moin,
>>>>>>>
>>>>>>> I haven't paid much attention to HTML and CSS standards for many
>>>>>>>
>>>>>> years.
>>>>
>>>>>
>>>>>>> As I understand it, HTML5 is script-like to lesson use of javascript.
>>>>>>>
>>>>>>> Does that mean plain HTML ( no javascript ) is sufficient to exploit
>>>>>>> browsers in light of #meltdown and #spectre ?
>>>>>>>
>>>>>>> https://blog.mozilla.org/security/2018/01/03/mitigations-
>>>>>>> landing-new-class-timing-attack/
>>>>>>>
>>>>>>> https://sites.google.com/a/chromium.org/dev/Home/chromium-
>>>>>>>
>>>>>> security/ssca
>>>>
>>>>>
>>>>>>> What about CSS?
>>>>>>>
>>>>>>> ciao,
>>>>>>>
>>>>>>> der.hans
>>>>>>> --
>>>>>>> # https://www.LuftHans.com https://www.PhxLinux.org
>>>>>>> # As we enjoy great Advantages from the
>>>>>>> # Inventions of others we should be glad of an
>>>>>>> # Opportunity to serve others by any Invention of ours,
>>>>>>> # and this we should do freely and generously.
>>>>>>> # -- Benjamin Franklin (1706-1790), on his refusal to patent his
>>>>>>> inventions.
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> # https://www.LuftHans.com https://www.PhxLinux.org
>>>>> # Nobody grows old merely by living a number of years.
>>>>> # We grow old by deserting our ideals.
>>>>> # Years may wrinkle the skin, but to give up enthusiasm
>>>>> # wrinkles the soul. -- Samuel Ullman
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>>
>>
> --
> # https://www.LuftHans.com https://www.PhxLinux.org
> # It's up to the reader to make the book interesting.
> # An author has only the opportunity to make it uninteresting. - der.hans
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)