Re: Intel Microcode updates

To: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>, debian-security@lists.debian.org
Subject: Re: Intel Microcode updates
From: Elmar Stellnberger <estellnb@gmail.com>
Date: Tue, 18 Jun 2019 11:09:51 +0200
Message-id: <[🔎] 75078b0e-a3ce-6ac0-ee73-b00a012b3831@gmail.com>
In-reply-to: <[🔎] 990ae84a-a151-b624-6f7d-08eab5366bfb@affinityvision.com.au>
References: <[🔎] 3261648.SxaLSeNWXX@xev> <[🔎] 20190611021914.eiq2ins57wlj3x6l@khazad-dum.debian.net> <[🔎] 08981663-1152-cbbd-7ca9-c3a5c4db846c@affinityvision.com.au> <[🔎] 20190611171632.wjp4a43bvi6xol6e@layer-acht.org> <[🔎] 105b058c-95d6-6792-6b05-5f7ee8e64d3a@affinityvision.com.au> <[🔎] 990ae84a-a151-b624-6f7d-08eab5366bfb@affinityvision.com.au>

Just because you disable Javascript in your browser I would not trustthat you will be save from arbitrary code execution. I am usingThunderbird as an email client and it has the same intrusion problem asthe browsers running Javascript. The arbitrary binary code executionproblem does to my believe more relate to common vulnerabilities likebuffer overflows in the whole code than just to the Javascript subsystemwhich is of course an additional security risk. As long as the code baseis changing rapidly and as long as new arbitrary code execution problemsare discovered from time to time you are not save. The speed new bugsare moved in is simply higher than the speed by with some of the oldbugs are corrected for browsers like Chromium or Firefox (I would nottrust software from Google anyway as it is part of the empire of'evil'.). Intelligence services usually use zero days exploits for whichthere is no known mitigation. If you wanna be save on a computer do notuse an email client or web browser; at least not if it can connect tosites spoofed by secret services. To avoid connecting to a 1:1 mirrorsite of an intelligence service we would need an improvement of httpscertificate management like f.i. DANE provides. There are many roguecertificates issued for intelligence services out there and restrictingyour browser to use https does not help.


Regards,
Elmar



Am 11.06.19 um 21:09 schrieb Andrew McGlashan:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 12/6/19 3:16 am, Holger Levsen wrote:

On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan
wrote:

Exploiting the flaws needs malicious code to be running on your
  box.  If you are in total control over all VMs and processes
on the box, then you should be good.

do you use a webbrowser with javascript enabled?

Good point, yes that is another risk.

Actually though, if you update your browser to lessen the granularity
of time that the exploits require, it might not be an issue.  So,
don't run an out of date browser....  is that enough?

Cheers
A.
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXP/8eAAKCRCoFmvLt+/i
+2AsAP4knXw4eLsVrlYm/CwuWJrhGC8FRVj4Uc09H0mR2ZDlhwD/RI/FDdLYiO9t
nNNga1FHGhCMj7v/rzJcZ/8iGrNrmqI=
=/5dj
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Intel Microcode updates
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- Intel Microcode updates
  - From: Russell Coker <russell@coker.com.au>
- Re: Intel Microcode updates
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Intel Microcode updates
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Intel Microcode updates
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Intel Microcode updates
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Intel Microcode updates
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: bullseye-security instead of bullseye/updates
Next by Date: Re: Intel Microcode updates
Previous by thread: Re: Intel Microcode updates
Next by thread: Re: Intel Microcode updates
Index(es):
- Date
- Thread