On Wed, 2016-02-10 at 10:53 -0700, jd1008 wrote:
On 02/10/2016 10:27 AM, Patrick O'Callaghan wrote:
> On Wed, 2016-02-10 at 10:17 -0700, jd1008 wrote:
> > A malefic website can and does user JS to fork out processes that
> > can
> > sudo whatever they want.
> Are you sure? If so, please give a reference.
>
> poc
Some years ago, the reference came directly from google website
analysis
(obtained via the noscript add-on).
to paraphrase what I read then (as I am sorry I did not keep that
link),
stated
.... it installs malware without the user's knowledge or permission
....
I will strive to locate that analysis and share it with th list.
Unless of course, it has been sanitized or removed - because google
re-analyzes websites
once every 90 days.
I suspect you're thinking of a bug in some earlier version of JS (or
Java). Normally these things are supposed to run in a sandbox precisely
to prevent this. That's probably the main reason Google has just
announced they'll be blocking Flash content in the near future, as it's
notorious for this kind of problem.
poc