SoylentNews is people
SoylentNews
from the for-those-who-ask-for-javascript dept.
A very interesting attack was unveiled in Friday, 24 June by Daniel Gruss, Clémentine Maurice, Stefan Mangard. Maybe the Rowhammer is the next Hearthbleed, or worse?
As DRAM has been scaling to increase in density, the cells are less isolated from each other. Recent studies have found that repeated accesses to DRAM rows can cause random bit flips in an adjacent row, resulting in the so called Rowhammer bug. This bug has already been exploited to gain root privileges and to evade a sandbox, showing the severity of faulting single bits for security. However, these exploits are written in native code and use special instructions to flush data from the cache.
In this paper we present Rowhammer.js, a JavaScript-based implementation of the Rowhammer attack. Our attack uses an eviction strategy found by a generic algorithm that improves the eviction rate compared to existing eviction strategies from 95.2% to 99.99%. Rowhammer.js is the first remote software-induced hardware-fault attack. In contrast to other fault attacks it does not require physical access to the machine, or the execution of native code or access to special instructions. As JavaScript-based fault attacks can be performed on millions of users stealthily and simultaneously, we propose countermeasures that can be implemented immediately.
http://arxiv.org/abs/1507.06955
Full report can be found here (PDF)
(Score: 2, Interesting) by anubi on Wednesday July 29 2015, @06:25AM
Unfortunately for the rest of us, a lot of business sites insist on JS being enabled.
Like you say, you would not do such a thing. Other people may. Neither you nor I can stop them. But we can ignore them.
Some of us do.
I started using NoScript after I was repeatedly nailed with malware.
From what I can tell, a lot of businesses are not aware of the problems malware causes the rest of us.
I believe the problem is the person with the authority to hire and instruct webmasters does not personally assume the responsibility of maintaining his own machine. He makes enough money he simply has someone else deal with the problem. So, he remains quite ignorant of the state of malware on the web.
This means the rest of us have to assume the risk to visit his site.
I feel as uneasy visiting their site as I do eating food served to me in a dirty plate.
If its not a business I am intent on engaging, usually the first admonition to enable javascript on my machine is sufficient to cause me to abandon their page.
A lot of businesses do not need customers that bad. So what if a few of us have got digital indigestion and do not like to ingest webpages containing mechanisms commonly used to inject malware. Probably not the kind of customer the business wants anyway. Business likes obedient customers. A lot of us have shown disobedience by not allowing their scripts to run willy nilly in our machine.
The web page is often a business' first impression to a customer. How many malware-aware customers simply click away from his site just as people would abandon a restaurant serving food in dirty dishes?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Monday August 03 2015, @09:13AM
I completely agree. Give me HTML & CSS that my browser can display. You can keep the JS, I don't want (or need) it.
...the person with the authority to hire and instruct webmasters does not personally assume the responsibility of maintaining his own machine. He makes enough money he simply has someone else deal with the problem.
However the issue is not whether or not this person notices any personal annoyance, they also run the risk of losing their data, etc. Additionally (if/when they get infected) they will be responsible for propagating whatever malware they've picked up onto their local network or even around the internet.
The issue is javascript is a scourge to be eliminated. Want your site to run fancy-schmancy code? Run it on your server, don't force me to open holes on my system you could fly a galaxy cruiser through.