|
|
Subscribe / Log in / New account

"ZombieLoad": a new set of speculative-execution attacks

"ZombieLoad": a new set of speculative-execution attacks

Posted May 14, 2019 21:59 UTC (Tue) by pyellman (guest, #4997)
In reply to: "ZombieLoad": a new set of speculative-execution attacks by flussence
Parent article: "ZombieLoad": a new set of speculative-execution attacks

It really is more than a little unfair to use this revelation as another reason to go on an(other) anti-Javascript rant. Sure, Javascript is at this time a leading vector for how most people might be exposed to security threats, but Javascript also enables much or most of the useful stuff we take advantage of and benefit from on the internet.

I well understand that "real" programmers and software engineers are contemptuous of Javascript and those who use it to build software and websites, but I think there's more than a little bit of envy in there as well. Yes, Javascript has a chaotic, undisciplined ecosystem of add-in functionality, but that ecosystem is also both enormously useful and just plain enormous. Futhermore, Javascript has been a vehicle and driver for widespread popularization of some decent ideas about what a high level language should offer (even if Javascript didn't necessarily invent those ideas). Again, I sometimes detect a hint of envy from "real" programmers in this regard.

Finally, I find it particularly unreasonable that this particular security threat, which has been brought to us by arguably some of the most highly skilled "real" computing engineers on the planet, should be your excuse for going on a rant about Javascript.

to post comments

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:17 UTC (Wed) by weberm (guest, #131630) [Link] (1 responses)

Sadly, flussence's observations are correct no matter whether you include JS as the deployment vehicle or not. One can reduce the comment to a JS rant and ignore it on that basis, or try and understand the notion behind it and reflect on that.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:00 UTC (Wed) by pyellman (guest, #4997) [Link]

I understand the notion just fine. And I'm pretty sure the targeting of JS was reflexive and unnecessary; the distance between JS being perfect, and JS being replaceable, is about equal. Again, this vulnerability was brought to us by the "real" programmers.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:22 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (6 responses)

Js is certainly abused. Except some more interactive websites, 99% of the website should not run it.

Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:59 UTC (Wed) by eru (subscriber, #2753) [Link]

Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.

That is not quite true, there are quite a lot of string functions in the built-ins, one could argue all the "BASIC":s are there :-). Even regexes. But there are also some strange omissions, like no built-in sprintf() equivalent.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 10:30 UTC (Wed) by roc (subscriber, #30627) [Link] (3 responses)

Thanks to JS and the Web platform, we have lots of powerful apps running on a platform whose design is not controlled by any single vendor, that has no gatekeepers, and can be implemented completely in free software.

Curse it if you like, but if it goes away you'd better enjoy whichever vendor-controlled walled garden you end up in.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 13:11 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (2 responses)

We have basically only 2 web rendering engines and js engines, and firefox is probably going away.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 19:21 UTC (Wed) by samth (guest, #1290) [Link]

There are definitely 3 of each: Blink/v8, WebKit/JSC, and Gecko/SpiderMonkey. Even if you think Blink and WebKit are "the same" (which is wrong) JSC and v8 have no common heritage.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 22:39 UTC (Wed) by roc (subscriber, #30627) [Link]

There are 3 of each. Firefox need not go away; it's competitive enough that people are switching to it from Chrome, though the situation is still very challenging. Defeatist attitudes definitely won't help.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:08 UTC (Wed) by pyellman (guest, #4997) [Link]

I can heartily agree that JS is abused and misused. So is just about everything else on the internet. Anger at JS because it is one of the tools being used to track you, slog your machine with ads, etc. is, in my opinion, misdirected.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:25 UTC (Wed) by nix (subscriber, #2304) [Link]

Quite. In particular, that JS can now be used to spy on things happening at the same instant using code with no branches or conditionals whatsoever is not an indictment of JS: more or less *any* language can probably do the same thing, even though JS in particular was explicitly designed to be sandboxed, and unlike (say) Java, there haven't been any significant holes in that sandbox that aren't attributable to outright hardware faults.

The problem isn't the language: the problem is the hardware. Whining about the language will not fix the ever-worsening flood of hardware vulns.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds