Hello users and embedders of V8, On January 3rd, researchers from Google's Project Zero <https://googleprojectzero.blogspot.com/2014/07/announcing-project-zero.html> disclosed a new class of attacks <https://googleprojectzero.blogspot.com/> which exploit speculative execution optimizations used by modern CPUs.
As a user or embedder of V8, you may have questions regarding these attacks and if they have any implications for you. We’ve put together a new wiki page <https://github.com/v8/v8/wiki/Untrusted-code-mitigations> regarding this topic that should serve to answer some of your questions. The main takeaway is that if you are an embedder such as Node.js that only executes trustworthy code then there should be no security concerns from these attack methods. In order to take advantage of the vulnerability, an attacker has to execute carefully crafted JavaScript or WebAssembly code in your embedded environment. If, as a developer, you have complete control over the code executed in your embedded V8 instance, then that is very unlikely to be possible. V8 is including some mitigation strategies for these attack methods as part of V8 6.4.388.16. These will be on by default and we are putting them behind a build flag to give embedders the option of whether they are needed. More details can be found on the wiki page <https://github.com/v8/v8/wiki/Untrusted-code-mitigations>. Sincerely, The V8 Team -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
