Users are recommended to update to Firefox 57


Looks like I'm good here. I'm honestly surprised you can pull this off in JavaScript. Must be a true JS wizard if you can pull this off. Looks like I'm setting my Updates Manager to check every 30 days now, until all this stuff has been resolved, since some apps don't look like they can get a patch until near the end of the month.

Andrew McRobb
Full-time Software Developer
Part-time Freelancer

On Fri, Jan 5, 2018 at 1:45 AM, Herminio Hernandez, Jr. <herminio.hernandezjr@gmail.com> wrote:
Mozilla confirms this bug is exploitable. I am making sure JavaScript is off by default and only enabled in pages where I want it to.

https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/

On Fri, Jan 5, 2018 at 1:36 AM, der.hans <PLUGd@lufthans.com> wrote:
Am 05. Jan, 2018 schwätzte Herminio Hernandez, Jr. so:

moin moin,

Yeah, JavaScript's annoying. I've been using NoScript to block it outright
for years. I only allow certain sites to have JavaScript. Some of those
sites only get JavaScript when I'm trying to checkout. Some get their own
browser instance before I allow them to have JavaScript.

Recently JavaScript has been used to do bitcoin mining via web browsers
and it's had several security issues over the years.

It can't escape the sandbox if it never runs :).

ciao,

der.hans


Damn Stallman was right again

https://www.gnu.org/philosophy/po/javascript-trap.ja-en.html

On Thu, Jan 4, 2018 at 10:52 PM, Andrew McRobb <andrewmcrobb@gmail.com>
wrote:

JavaScript being the Raccoon? heh

Andrew McRobb
Full-time Software Developer
Part-time Freelancer
mcrobb.info

On Thu, Jan 4, 2018 at 8:46 PM, Ed <plug@0x1b.com> wrote:

More like raccoons to oranges...
8)

On Thu, Jan 4, 2018 at 4:59 PM, der.hans <PLUGd@lufthans.com> wrote:
Am 04. Jan, 2018 schwätzte Andrew McRobb so:

moin moin Andrew,

cool, sounds like having umatrix or NoScript blocking javascript is
still
sufficient.

Need to make sure <script> is blocked as well as the external JS.

https://www.w3schools.com/html/html_scripts.asp

ciao,

der.hans

No, HTML5 is a markup at the end of the day. Comparing JS and HTML, is
like
comparing apples to oranges. All HTML5 does is include new tags to use
when
building a web app for you or search engines to use:
https://www.w3schools.com/html/html5_intro.asp. It doesn't at all
handle
any logic like JS would, if that's what you are asking.

Same can almost go for CSS. It's a description language, it doesn't
handle
any logic (except for select queries). However, CSS is starting to
implement variables, but you can only use those for *attributes*. Not
write

a fully functional app with CSS alone.

Andrew McRobb
Full-time Software Developer
Part-time Freelancer
mcrobb.info

On Thu, Jan 4, 2018 at 10:21 AM, der.hans <PLUGd@lufthans.com> wrote:

moin moin,

I haven't paid much attention to HTML and CSS standards for many
years.

As I understand it, HTML5 is script-like to lesson use of javascript.

Does that mean plain HTML ( no javascript ) is sufficient to exploit
browsers in light of #meltdown and #spectre ?

https://blog.mozilla.org/security/2018/01/03/mitigations-
landing-new-class-timing-attack/

https://sites.google.com/a/chromium.org/dev/Home/chromium-
security/ssca

What about CSS?

ciao,

der.hans
--
https://www.LuftHans.com   https://www.PhxLinux.org
#  As we enjoy great Advantages from the
#  Inventions of others we should be glad of an
#  Opportunity to serve others by any Invention of ours,
#  and this we should do freely and generously.
#  -- Benjamin Franklin (1706-1790), on his refusal to patent his
inventions.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
https://www.LuftHans.com   https://www.PhxLinux.org
#  Nobody grows old merely by living a number of years.
#  We grow old by deserting our ideals.
#  Years may wrinkle the skin, but to give up enthusiasm
#  wrinkles the soul.  -- Samuel Ullman
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
https://www.LuftHans.com   https://www.PhxLinux.org
#  It's up to the reader to make the book interesting.
#  An author has only the opportunity to make it uninteresting. - der.hans
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss