[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intel Microcode updates

  Just because you disable Javascript in your browser I would not trust that you will be save from arbitrary code execution. I am using Thunderbird as an email client and it has the same intrusion problem as the browsers running Javascript. The arbitrary binary code execution problem does to my believe more relate to common vulnerabilities like buffer overflows in the whole code than just to the Javascript subsystem which is of course an additional security risk. As long as the code base is changing rapidly and as long as new arbitrary code execution problems are discovered from time to time you are not save. The speed new bugs are moved in is simply higher than the speed by with some of the old bugs are corrected for browsers like Chromium or Firefox (I would not trust software from Google anyway as it is part of the empire of 'evil'.). Intelligence services usually use zero days exploits for which there is no known mitigation. If you wanna be save on a computer do not use an email client or web browser; at least not if it can connect to sites spoofed by secret services. To avoid connecting to a 1:1 mirror site of an intelligence service we would need an improvement of https certificate management like f.i. DANE provides. There are many rogue certificates issued for intelligence services out there and restricting your browser to use https does not help.


Am 11.06.19 um 21:09 schrieb Andrew McGlashan:
Hash: SHA256


On 12/6/19 3:16 am, Holger Levsen wrote:
On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan
Exploiting the flaws needs malicious code to be running on your
box. If you are in total control over all VMs and processes
on the box, then you should be good.
do you use a webbrowser with javascript enabled?
Good point, yes that is another risk.
Actually though, if you update your browser to lessen the granularity
of time that the exploits require, it might not be an issue. So,
don't run an out of date browser.... is that enough?



Reply to: