On Fri, 15 May 2020 17:32:10 +0530
Sreyan Chakravarty <sreyan32@gmail.com> wrote:

> On 5/15/20 1:32 AM, stan via users wrote:
> > After posting, I vaguely recalled that there was a javascript
> > implementation of the sample exploit code. 
>
> Now this is really scary.
>
> This makes it a potential web attack. I can't obviously live like a
> hermit and visit only sites that have no javascript in it, can I ?
>

Because the attack is so sophisticated, it depends on very precise
timing.  I *think* I read that firefox, at least, changed their
javascript so the timing accuracy was too fuzzy for the attack to work.
This would only have required changing accuracy to millisecond (or
tenths (hundredths?) of millisecond) timing rather than nanosecond
timing.

Also, firefox has sandboxing on javascript plugins.  So, if the
javascript is restricted from sending anything over the web, it would
be impotent because it would have no way of communicating its results.
Plugins also only get access to the components they need to perform
their function, so might not have access to the necessary system calls
to allow the attack.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org