Where does the idea come from that if you're not running the most up-to-date software...

where does the idea come from that if you're not running the most up-to-date software, you will have your computer compromised by simply browsing a website. It makes no sense to me. It's a html document with javascript that is run inside a virtual machine, with no permission given to the user's files. Is this just a corporate shill move so companies can give us more spyware?
It's like having an mp3 file with malicious code in it. It's only going to run on your machine if you rename the file to .bat or ./ it on linux. A document doesn't run code on a machine, a document's contents are only displayed via a program capable of viewing.

Attached: 1561230896591s.jpg (219x250, 8K)

Other urls found in this thread:

dl.acm.org/citation.cfm?id=2976977
twitter.com/SFWRedditVideos

but it communicates with the server sometimes, and there are security flaws that allow Javascript to break through the browser's security. There was a flaw just last year that allowed javascript to read directly from RAM lol.

>>It's like having an mp3 file with malicious code in it. It's only going to run on your machine if you rename the file to .bat or ./ it on linux. A document doesn't run code on a machine, a document's contents are only displayed via a program capable of viewing.
the document (or other media file) has to be parsed, and if a parser is fed maliciously-crafted input, you can get code execution. These bugs are uncommon but do exist. If I remember right there was such a bug in some of Firefox's image-rendering code a few years ago, all you'd have to do was load a site with a malicious image on it to be exploited.

Microsoft fearmongering so they can keep pushing telemetry spying bullshit.

The idea comes from Windows being a bag of shit and prone to exploits

>obsessively updates to alpha/beta/nightly builds
>ends up with more bugs and holes than people whose software is slightly outdated

Attached: 1556497593584.jpg (640x723, 39K)

>where does the idea come from that if you're not running the most up-to-date software, you will have your computer compromised by simply browsing a website
people putting a bunch of unrelated ideas together

i remember when android was first gaining traction and each system update was a legitimate huge upgrade in performance and usability. 2.2 to 2.3 was incredible, and 2.3 to 4.0 was such a big jump most people didn't even understand it was still android. it was actually difficult to convince people that upgrading the os would have some benefit to them

i think that we just had a good ol jerusalem switcheroo, as the software updates stopped actually mattering, the nerds stopped caring, but the normies noticed and filled the void but without any discretion as to why it was a good thing or not. I mean, all the other ones were important, so surely this one is important too?

trips of truth

Attached: 1564518912292.png (1170x658, 380K)

Most software goes through that same cycle. Big improvements at first, then after a while its feature-complete and doesn't really need much more. Now at that point we should be able to just enjoy using working software, with only occasional small updates for security issues. The thing is that nobody has any incentive to do that. Devs hate maintaining working software. It's dull and they'd rather be writing new stuff. also, if the software is a company's product, they want to write new stuff because otherwise they're surplus to requirements and will get laid off. That company's sales creatures want change for change's sake too, because otherwise they won't have anything to pitch people with. And of course everyone involved is way too prideful to just admit that maybe something's good enough and doesn't need any more changes.

So we get the world we have today, where everyone is kept running hard on an upgrade treadmill if at all possible, despite the fact that, like running on a real treadmill, they aren't getting anywhere.

>applel slowing everyone's phones down with updates

Exploits don't get patched. ROP

This, and variations.

>It's like having an mp3 file with malicious code in it. It's only going to run on your machine if you rename the file to .bat or ./ it on linux.
Or if there's a defect in the program which plays the mp3. A defect which may have been fixed if you updated your software.

Post the proof or else fuck off.

You can easily google that shit you inbred weeb

The burden of proof is on you.

You're unironically safer running Windows XP nowadays. Most modern software doesn't run on it, including viruses, and any exploits still present in it have been forgotten years ago.

There was a Vim bug several months back that actually EXECUTED code upon opening a text file.

Look up arbitrary code execution

Remote code execution vulnerabilities come out for browsers all the time.

Browser developers make mistakes and sometimes those updates include patches to bugs that allow an attacker to take over your browser via JavaScript. Writing a perfect virtual machine is hard.

Nice treadmill metaphor

cybersecurity "professionals" spending years blaming hackers and software bugs for their own incompetence

You're completely wrong. RCEs for browsers exist and are a real threat. You see, your browser implements a JavaScript engine to run JS code (Safari uses JavaScriptCore, Chrome uses V8, FireFox uses Spidermonkey, etc.), these engines implement the whole JS runtime and execute functions inside your browser in response to JS functions being called.

Example: if I call `var arr = new Uint8Array(100);` in JS, the JS engine inside your browser has to make an actual 100 bytes allocation inside your browser memory to hold the array's contents. If I call `arr.sort()` the engine will call internal functions that implement the sorting algorithm (usually builtins written in pure JS or natives written in C++) and actually sort the array.

Everything you do in JS actually runs C++ behind the scenes. C++ is not a memory safe languages, i.e. memory corruption vulnerabilities exists in JS engines and can be triggered directly from JS. To make things worse, modern JS engines also implement JIT (just-in-time compilation) which literally means you have optimizing compilers built inside your browser, and JS code will be compiled to assembly at runtime and executed. To allow this, every browsers obviously has RWX areas where JIT compiled code can be written and executed.

If an attacked manages to exploit an RCE, he also has this RWX area available to put a payload and jump into. This means arbitrary code execution inside your browser. From JavaScript. Once you have that, you can do whatever the fuck you want. So don't be a faggot and update your software, because public vulnerabilities patched in latest versions are always out there and can be used against you.

fuck off shill

Good post
Shut up dingus

unless you visit some weird russian sites literally nothing can happen to you

I never use anti virus, always disable windows firewall and all updates, use qweasdzxc password everywhere and never had any problems because I'm not a retard who opens nigerian spam mails

As long as you use stable release branches you really shouldn't have a problem. I update my Ubtuntu Server 18.04 LTS home server every night and the only piece of software that has ever broken was Tvheadend, which is also the only piece of software I have that is on a non-stable branch (I use features that are still only in the nightly build).

retardation is a disease that can be cured with lead

Attached: 1564328978212.jpg (325x305, 71K)

There are N possible vulneratibilities on every system ever built by humans. OSes, browsers, games, doesn't matter.

Generally speaking people who built those systems fix whatever vulnerability they have knowledge of, and they provide the new, more secure version of the software to the user via software updates.

Fixing vulnerabilities often is an eternal process, specially when you're talking about complex systems that interact with other systems in various ways (internet browsers are a great example).

not him but i googled 'rowhammer dot js' for you

dl.acm.org/citation.cfm?id=2976977

A fundamental assumption in software security is that a memory location can only be modified by processes that may write to this memory location. However, a recent study has shown that parasitic effects in DRAM can change the content of a memory cell without accessing it, but by accessing other memory locations in a high frequency. This so-called Rowhammer bug occurs in most of today's memory modules and has fatal consequences for the security of all affected systems, e.g., privilege escalation attacks.

All studies and attacks related to Rowhammer so far rely on the availability of a cache flush instruction in order to cause accesses to DRAM modules at a sufficiently high frequency. We overcome this limitation by defeating complex cache replacement policies. We show that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses. This allows to trigger the Rowhammer bug in highly restricted and even scripting environments.

We demonstrate a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware. Thereby we can gain unrestricted access to systems of website visitors. We show that the attack works on off-the-shelf systems. Existing countermeasures fail to protect against this new Rowhammer attack.

Javascript can be exploited, but in theory of javascript is disabled you should be at extremely low risk.

The same fear mongering goes on with Linux, some faggot was fear mongering that an old version of Gimp I wanted could execute a macro through a corrupt image (in theory) , and worse Linux makes reverse compatibility very difficult and they are proud of that.


There is no corporation behind most FOSS software native to Linux, and the same shit happens. They add useless features for fun.
It's just nerds tinkering around. FOSS software becomes more and more bloated just like proprietary.


---

I never recommend using an older version of a web browser and email client. It is a security risk. But if software doesn't frequently/never connect to the Internet it's fine. Just keep a firewall on and use common sense tm.

I think the paranoid security obsessed Windows XP dudes migrated to Linux along time ago and they assume all the crazy exploits from Windows XP pre-SP2 are still around. They probably use ParrotOS and Kali Linux.

>no replies
They're just script kiddies trying to make people run compromised systems so the tools they have access to work.
Asking for proof for trivial things is just a way to build doubt.

i dont care im sick of the head in sand mentality and desu it took all of 5 seconds to google "javscript ram exploit" and then find the name rowhammer and read the article on wikipedia and post the link i posted here

Soon it's going to be impossible to secure your data when your device is connected to the internet (presuming you have data worth stealing of course).

Any person or company in possession of advanced AI systems are gonna be able to intercept, decrypt and make sense of every single packet that is transmitted between your device and any other device. It's funny seeing people complain about privacy today when soon the only way to have privacy will be to completely stay off the grid.

That's because they're not stable versions you absolute mong.

You should be happy whenever you see a new update available for whatever software you use. Nobody likes mantaining software.

>A document doesn't run code on a machine, a document's contents are only displayed via a program capable of viewing.
There might be PDF exploits though and docx is notorious for being able to include malware into it.
And if a known exploit exist for any software you should update it to get it fixed, that is basically what Debian and many other distros are doing.

But the most important thing is, idiots need to be protected, the guy who downloads ladygaga.mp3.exe is the target group for this advice.

Congratulations, you're retarded! Come and see the dunning-kruger effect in action, folks.

>Javascript can be exploited, but in theory of javascript is disabled you should be at extremely low risk.

Ever heard of CSS injection?

wouldn't clearing the cookies, cache and running bleachbit fix this?

>where does the idea come from that if you're not running the most up-to-date software, you will have your computer compromised by simply browsing a website
Because that's how security updates work.

No self-respecting white man browses the internet without Javascript disabled.

1. download the website
2. disconnect from the internet
3. run the website with the browser in "private mode" (saves you the trouble of clearing cache and shit afterwards)

I think it's the only way to be 95% sure you're safe. Of course presuming the browser isn't doing some funny business you don't know about.

then the op is no self-respecting white man? because his post dictates that the browser runs javascript

have fun browsing most modern websites where the templating is generated by javascript itself3
but hey you can browse stallman's website no problem

100% safe
no url references in his CSS either

Attached: safe.png (789x889, 122K)

the internet was better when websites were simplier, the modern website design is giving us digital ADHD.

Why?

No one here is interested in convincing you common knowledge.

>"some obscure js direct ram reading exploit is common knowledge. i dont have to prove anything"
Found the retard.