<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Users are recommended to update to Firefox 57<br><br></div></blockquote><div><br></div><div>Looks like I'm good here. I'm honestly surprised you can pull this off in JavaScript. Must be a true JS wizard if you can pull this off. Looks like I'm setting my Updates Manager to check every 30 days now, until all this stuff has been resolved, since some apps don't look like they can get a patch until near the end of the month.<br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div><font size="4"><span style="color:rgb(255,153,0)">Andrew McRobb</span><br></font></div><font size="4"><font size="2">Full-time Software Developer</font><br></font></div><font size="4"><font size="2">Part-time Freelancer</font><br></font></div><div dir="ltr"><font size="4"><a href="http://mcrobb.info" target="_blank"><font size="2">mcrobb.info</font></a><br></font></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jan 5, 2018 at 1:45 AM, Herminio Hernandez, Jr. <span dir="ltr"><<a href="mailto:herminio.hernandezjr@gmail.com" target="_blank">herminio.hernandezjr@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Mozilla confirms this bug is exploitable. I am making sure JavaScript is off by default and only enabled in pages where I want it to.<div><br></div><div><a href="https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/" target="_blank">https://www.bleepingcomputer.<wbr>com/news/security/mozilla-<wbr>confirms-web-based-execution-<wbr>vector-for-meltdown-and-<wbr>spectre-attacks/</a><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 5, 2018 at 1:36 AM, der.hans <span dir="ltr"><<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Am 05. Jan, 2018 schwätzte Herminio Hernandez, Jr. so:<br>
<br>
moin moin,<br>
<br>
Yeah, JavaScript's annoying. I've been using NoScript to block it outright<br>
for years. I only allow certain sites to have JavaScript. Some of those<br>
sites only get JavaScript when I'm trying to checkout. Some get their own<br>
browser instance before I allow them to have JavaScript.<br>
<br>
Recently JavaScript has been used to do bitcoin mining via web browsers<br>
and it's had several security issues over the years.<br>
<br>
It can't escape the sandbox if it never runs :).<br>
<br>
ciao,<br>
<br>
der.hans<div><div class="m_-3441402409478296080h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Damn Stallman was right again<br>
<br>
<a href="https://www.gnu.org/philosophy/po/javascript-trap.ja-en.html" rel="noreferrer" target="_blank">https://www.gnu.org/philosophy<wbr>/po/javascript-trap.ja-en.html</a><br>
<br>
On Thu, Jan 4, 2018 at 10:52 PM, Andrew McRobb <<a href="mailto:andrewmcrobb@gmail.com" target="_blank">andrewmcrobb@gmail.com</a>><br>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
JavaScript being the Raccoon? heh<br>
<br>
Andrew McRobb<br>
Full-time Software Developer<br>
Part-time Freelancer<br>
<a href="http://mcrobb.info" rel="noreferrer" target="_blank">mcrobb.info</a><br>
<br>
On Thu, Jan 4, 2018 at 8:46 PM, Ed <<a href="mailto:plug@0x1b.com" target="_blank">plug@0x1b.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
More like raccoons to oranges...<br>
8)<br>
<br>
On Thu, Jan 4, 2018 at 4:59 PM, der.hans <<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 04. Jan, 2018 schwätzte Andrew McRobb so:<br>
<br>
moin moin Andrew,<br>
<br>
cool, sounds like having umatrix or NoScript blocking javascript is<br>
</blockquote>
still<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
sufficient.<br>
<br>
Need to make sure <script> is blocked as well as the external JS.<br>
<br>
<a href="https://www.w3schools.com/html/html_scripts.asp" rel="noreferrer" target="_blank">https://www.w3schools.com/html<wbr>/html_scripts.asp</a><br>
<br>
ciao,<br>
<br>
der.hans<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
No, HTML5 is a markup at the end of the day. Comparing JS and HTML, is<br>
like<br>
comparing apples to oranges. All HTML5 does is include new tags to use<br>
when<br>
building a web app for you or search engines to use:<br>
<a href="https://www.w3schools.com/html/html5_intro.asp" rel="noreferrer" target="_blank">https://www.w3schools.com/html<wbr>/html5_intro.asp</a>. It doesn't at all<br>
</blockquote></blockquote>
handle<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
any logic like JS would, if that's what you are asking.<br>
<br>
Same can almost go for CSS. It's a description language, it doesn't<br>
</blockquote></blockquote>
handle<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
any logic (except for select queries). However, CSS is starting to<br>
implement variables, but you can only use those for *attributes*. Not<br>
write<br>
<br>
a fully functional app with CSS alone.<br>
<br>
Andrew McRobb<br>
Full-time Software Developer<br>
Part-time Freelancer<br>
<a href="http://mcrobb.info" rel="noreferrer" target="_blank">mcrobb.info</a><br>
<br>
On Thu, Jan 4, 2018 at 10:21 AM, der.hans <<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
moin moin,<br>
<br>
I haven't paid much attention to HTML and CSS standards for many<br>
</blockquote></blockquote></blockquote>
years.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
As I understand it, HTML5 is script-like to lesson use of javascript.<br>
<br>
Does that mean plain HTML ( no javascript ) is sufficient to exploit<br>
browsers in light of #meltdown and #spectre ?<br>
<br>
<a href="https://blog.mozilla.org/security/2018/01/03/mitigations-" rel="noreferrer" target="_blank">https://blog.mozilla.org/secur<wbr>ity/2018/01/03/mitigations-</a><br>
landing-new-class-timing-attac<wbr>k/<br>
<br>
<a href="https://sites.google.com/a/chromium.org/dev/Home/chromium-" rel="noreferrer" target="_blank">https://sites.google.com/a/chr<wbr>omium.org/dev/Home/chromium-</a><br>
</blockquote></blockquote></blockquote>
security/ssca<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
What about CSS?<br>
<br>
ciao,<br>
<br>
der.hans<br>
--<br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br>
# As we enjoy great Advantages from the<br>
# Inventions of others we should be glad of an<br>
# Opportunity to serve others by any Invention of ours,<br>
# and this we should do freely and generously.<br>
# -- Benjamin Franklin (1706-1790), on his refusal to patent his<br>
inventions.<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
<br>
<br>
</blockquote>
<br>
--<br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br>
# Nobody grows old merely by living a number of years.<br>
# We grow old by deserting our ideals.<br>
# Years may wrinkle the skin, but to give up enthusiasm<br>
# wrinkles the soul. -- Samuel Ullman<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
</blockquote>
<br>
-- <br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br></div></div>
# It's up to the reader to make the book interesting.<br>
# An author has only the opportunity to make it uninteresting. - der.hans<br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br></blockquote></div><br></div>
</div></div><br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div>