Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] PSA: Disable JavaScript. Meltdown/Spectre exploits are live
28 points by chapill on Jan 4, 2018 | hide | past | favorite | 17 comments
Meltdown is in the wild. Meltdown allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the layout or contents of protected kernel memory areas.



Anybody have a code example? The Spectre pdf also mentions JS vulnerability, anybody have a code example of that too? Perhaps it would be a good idea to create a github repo compiling a list of exploitative code found in the wild.


Can you elaborate where in the wild you found it?


Disable JavaScript? I might as well just stop using my computer.


link to the in the wild exploitation or get the fuck out. Most over-hyped bug of 2018 /smh EternalBlue was 1000x worse than this but had a more boring name.


EternalBlue was worse but easy to patch.


Chrome has some more explanation about the vulnerability and how/when a patch will be rolled out.

https://sites.google.com/a/chromium.org/dev/Home/chromium-se...


> to discern to some extent the layout or contents of protected kernel memory areas.

For the end user, what possible negative consequences are there from this? It seems pretty far fetched that there could be any serious security implications from JavaScript on a desktop/mobile computer.


Using spectre you can read memory from the process on which javascript is executed, for firefox this is probably whole browser memory, chrome runs sites in different processes (but not always ex iframes).


There's no mechanism for javascript to use this exploit, it doesn't have access to the hardware. The only way I could see javascript being involved is if it's used to construct a malicious download.


https://misc0110.net/web/files/keystroke_js.pdf


You started this thread to warn about the risks of running untrusted JavaScript before the appropriate mitigations are in place, yet you expect people to open a PDF from misc0110.net with no additional context?


Its actually the page of one of the researchers (Michael Schwarz) who found the javascript keystroke timing attack (which is in the paper in the link). He is also one of the authors of the Meltdown/Spectre CPU Attack papers so the document is actually worth reading


The link goes to a site with a spammy-looking domain, and there's no reason to assume a URL with .pdf at the end is actually a PDF. There's nothing stopping the server from serving a malicious JavaScript file instead.

Assuming it's safe based on available information is very bad. Even your comment isn't enough because you could be working with someone to drive people to a malicious link.


So you've created your account 1 hour ago and want me to open some pdf from unknown source on unknown domain?


I think it seems pretty reasonable to disable the ability for new accounts to post links until they are no longer new. This could totally avoid scenarios like this one, regardless of whether or not this PDF is actually harmless or not.


I like this idea. You should email the mods with your suggestion!


This has nothing to do with the recent CPU issue.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: