
PSA: Disable JavaScript. Meltdown/Spectre exploits are live - chapill
Meltdown is in the wild. Meltdown allows normal user programs -- from database applications to <i>JavaScript in web browsers</i> -- to discern to some extent the layout or contents of protected kernel memory areas.
======
shiado
Anybody have a code example? The Spectre pdf also mentions JS vulnerability,
anybody have a code example of that too? Perhaps it would be a good idea to
create a github repo compiling a list of exploitative code found in the wild.

------
tamriel
Can you elaborate where in the wild you found it?

------
moron4hire
Disable JavaScript? I might as well just stop using my computer.

------
cypherg
link to the in the wild exploitation or get the fuck out. Most over-hyped bug
of 2018 /smh EternalBlue was 1000x worse than this but had a more boring name.

~~~
ttsda
EternalBlue was worse but easy to patch.

------
tastyham
Chrome has some more explanation about the vulnerability and how/when a patch
will be rolled out.

[https://sites.google.com/a/chromium.org/dev/Home/chromium-
se...](https://sites.google.com/a/chromium.org/dev/Home/chromium-
security/ssca)

------
wvenable
> to discern to some extent the layout or contents of protected kernel memory
> areas.

For the end user, what possible negative consequences are there from this? It
seems pretty far fetched that there could be any serious security implications
from JavaScript on a desktop/mobile computer.

~~~
lossolo
Using spectre you can read memory from the process on which javascript is
executed, for firefox this is probably whole browser memory, chrome runs sites
in different processes (but not always ex iframes).

------
jbob2000
There's no mechanism for javascript to use this exploit, it doesn't have
access to the hardware. The only way I could see javascript being involved is
if it's used to construct a malicious download.

------
chapill
[https://misc0110.net/web/files/keystroke_js.pdf](https://misc0110.net/web/files/keystroke_js.pdf)

~~~
FreedomWarrior
You started this thread to warn about the risks of running untrusted
JavaScript before the appropriate mitigations are in place, yet you expect
people to open a PDF from misc0110.net with no additional context?

~~~
kimusan
Its actually the page of one of the researchers (Michael Schwarz) who found
the javascript keystroke timing attack (which is in the paper in the link). He
is also one of the authors of the Meltdown/Spectre CPU Attack papers so the
document is actually worth reading

~~~
rainbowmverse
The link goes to a site with a spammy-looking domain, and there's no reason to
assume a URL with .pdf at the end is actually a PDF. There's nothing stopping
the server from serving a malicious JavaScript file instead.

Assuming it's safe based on available information is very bad. Even your
comment isn't enough because you could be working with someone to drive people
to a malicious link.

