@Shamar

This report confuses me.

1. Unless I totally missed it, the Medium article never outlined an actual attack, and its main gripe was the bad idea that JS and WASM are rather than a particular aspect of those standards.

2. The bug report warns of a "Undetectable Remote Arbitrary Code Execution Attack", but thenthe discussion only talks about the attacker reading user info.

Can someone explain what's going on?

@Shamar

Thanks for the explanation; the port scanning example reminds me of the Meltdown attack.

So when you talk about arbitrary remote code execution, you're just referring to JS, not arbitrary C code that modifies files or something.

I think my main confusion is that the root issue/complaint seems unfixable without permanently removing JS from the web, which Mozilla can hardly be expected to do. The PoC bug can be fixed, but other bugs will always keep popping up.

@Shamar
Do WebKit based browsers (e.g. Epiphany/Gnome Web) have this same issue?

@Shamar It looks like Tor Browser Bundle mitigated this by disabling WebAssembly?

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!