Hendrik Boom hendrik@topoi.pooq.com writes:
On Thu, Jan 04, 2018 at 06:13:45PM -0500, Adam Van Ymeren wrote:
Louis Pearson desttinghimgame@gmail.com writes:
Has anybody else seen the recently published exploits Meltdown and Spectre? Here's a link: https://meltdownattack.com/
The thing about Meltdown/Spectre is that they're really only problems if you rely on sandboxing to run untrusted code.
It doesn't care whether you sandbox. It makes a privilege escalation possible. If untrustworthy code runs with few privileges, it can exfiltrate enough information to accomplish a privilege escalation. The point of mentioneing the sandbox is simply that the sandbox doesn't help.
Yeah I didn't phrase that quite right. I meant that these vulnerabilites make it impossible to sandbox malicious code.
Of courses it doesn't matter if you trust the code. It matters if it is trustworthy.
Indeed.