Just because you disable Javascript in your browser I would not trust
that you will be save from arbitrary code execution. I am using
Thunderbird as an email client and it has the same intrusion problem as
the browsers running Javascript. The arbitrary binary code execution
problem does to my believe more relate to common vulnerabilities like
buffer overflows in the whole code than just to the Javascript subsystem
which is of course an additional security risk. As long as the code base
is changing rapidly and as long as new arbitrary code execution problems
are discovered from time to time you are not save. The speed new bugs
are moved in is simply higher than the speed by with some of the old
bugs are corrected for browsers like Chromium or Firefox (I would not
trust software from Google anyway as it is part of the empire of
'evil'.). Intelligence services usually use zero days exploits for which
there is no known mitigation. If you wanna be save on a computer do not
use an email client or web browser; at least not if it can connect to
sites spoofed by secret services. To avoid connecting to a 1:1 mirror
site of an intelligence service we would need an improvement of https
certificate management like f.i. DANE provides. There are many rogue
certificates issued for intelligence services out there and restricting
your browser to use https does not help.
Regards,
Elmar
Am 11.06.19 um 21:09 schrieb Andrew McGlashan:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
On 12/6/19 3:16 am, Holger Levsen wrote:
On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan
wrote:
Exploiting the flaws needs malicious code to be running on your
box. If you are in total control over all VMs and processes
on the box, then you should be good.
do you use a webbrowser with javascript enabled?
Good point, yes that is another risk.
Actually though, if you update your browser to lessen the granularity
of time that the exploits require, it might not be an issue. So,
don't run an out of date browser.... is that enough?
Cheers
A.
-----BEGIN PGP SIGNATURE-----
iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXP/8eAAKCRCoFmvLt+/i
+2AsAP4knXw4eLsVrlYm/CwuWJrhGC8FRVj4Uc09H0mR2ZDlhwD/RI/FDdLYiO9t
nNNga1FHGhCMj7v/rzJcZ/8iGrNrmqI=
=/5dj
-----END PGP SIGNATURE-----
