I’d say “allowing the code to run on the host computer” is way less confusing for the less technical people than “allowing the code to run outside the sandbox”. Most people have absolutely no idea what sandboxing means.
Have you ever read a summary of a license or a legal document? It's the same idea.
Simplifying terms and using approximations so that the uninitiated can understand is not lying, it's good communication. We can't use jargon all the time.
You can still cut the jargon and tell the essence. E.g. "the exploit allows malicious code to run without the confines of the browser, giving it access to everything the user normally has access to".
I think they're using it short for 'browser's sandbox.' Try reading it charitably rather than bending over backwards to find fault and making wild accusations of 'lying.'
Not really, I think. "[O]utside of the browser on the host computer" implies that there are other possible ways in which JavaScript could execute, one of those inside of the browser on the host computer, which is pretty much the expected thing and tangentially covers the concept of sandboxing.
There's a steady stream of criticism from other users that is not getting flagged (and is often highly upvoted). Consider contacting the mods using the footer link to ask what they think might be different about your comments that results in HN readers flagging them.
Please email the mods using the contact link in the footer and indicate that you think Firefox comments are being unduly flagged for inappropriate reasons. They can see and search all flagged comments, in order to evaluate your concerns. We normal users can't prove the negative you're declaring and your concern of a conspiracy against Firefox criticism is offtopic for this post about a zero-day security issue.
Complaining about getting flagged or downvoted makes it likely to be flagged or downvoted, on HN or elsewhere. Your comment doesn't even say anything negative about Firefox, it's just vague complaining.
My most recent post was about the performance of Firefox on MacOS and comparing it to chrome and safari, then also looking at battery life. It was immediately removed.
Unfortunately there are too many sites that refuse to work without javascript, so any security benefits is negligible because it's very easy to be social engineered into enabling javascript.
You can get most to work by whitelisting one domain while keeping the cesspool of trackers off your computer. If it still doesn't work there are better things in life to spend time on than somebody's poorly constructed website.
This is what I do and I 100% agree about lazy people that aren't willing to make a halfway decent website. I'm not that old, but sometimes I just want a website with text. I don't need autoplaying videos with a billion slideshow images and shown how fantasmagical your company is.
Not sure if this has changed but I ditched noscript when I discovered it doesn't block inline script execution. These days I use Ublock Origin:
Settings -> check 'I am an advanced user'. You should now be able to block 1st party, third party and inline JS from executing and save on a per-site basis. Hope this helps someone!
Can anyone confirm if 73.0b3 includes the same fix?
Their "what's new" link in the beta's About window doesn't track with the beta release cycle. There's no revision listed, so I think the notes are for 73.0b1 still? At any rate, there's no mention of any security fixes.
I sure hope so since 73.0b3 is the most recent available version of Developer Edition. It's odd to not have any messaging about the non-mainstream editions.
The 73.0b3 release tag is 18 hours ago, compared to that "What's new" page dated 1/7, so it does appear to be newer. See my reply to myself above; as far as I can tell the beta has the same changes (though I didn't manage to fumble my way to the specific commit that fixed it, or whatever the analogous term is for mercurial).
Their developer edition "What's new" page seems more about marketing upcoming changes before they land in the mainline release than anything else.
I'd like to assume they're always on top of getting the same fixes into developer versions at the same time, but since they don't actually tell us anywhere I always feel like I have to check.
I don't know my way around Firefox's source control at all, but I tried to do some digging. My first thought was to look through the changelogs on recent release tags, but there's no mention of the CVE that I can find in any of them.
I did find these changes in 72 which look related to the bug:
They could be more transparent by saying exactly which Firefox versions are affected, which is an accepted norm. Unfortunately, this is not the first time users have been left guessing.
Those are the only two maintained versions of Firefox, so it makes complete sense for their report to be limited to those two. It seems a bit useless to go back and find the point in time where it first appeared, but I guess it could be interesting.
Firefox is creepy AF. I was just listening to "Diamond Ned Flanders" by MadeinTYO on Apple Music, and when I open Firefox the "suggested article" on the front page is about Ned Flanders. That's some Facebook type shit right there. Uninstalled.
Could you please stop posting unsubstantive and/or flamebait comments to HN? We've already had to ask you this, and you've been doing it a lot.
Also, while I have you, please stop using HN for ideological battle—you've been doing a lot of that as well, and it destroys what this site is for (https://news.ycombinator.com/newsguidelines.html), regardless of which ideology you favor or disfavor.
Also, can you please not systematically delete comments? Deletion is for things that shouldn't have been posted in the first place. Deleting more than half of what you post is not an intended use of the threads.
71 comments
[ 1.6 ms ] story [ 125 ms ] threadThe phrasing may unfortunately mislead the less technical readers of their audience.
JavaScript always runs “on the host computer”, this should be described as a sandbox escape.
Simplifying terms and using approximations so that the uninitiated can understand is not lying, it's good communication. We can't use jargon all the time.
But they carefully qualified it with "outside of the browser [meaning sandbox]" and you left that out of your quote.
With some effort javascript from known sites could be fingerprinted and vetted.
An unexpected change could trigger a warning and blocking.
But with WASM we are really in trouble.
Settings -> check 'I am an advanced user'. You should now be able to block 1st party, third party and inline JS from executing and save on a per-site basis. Hope this helps someone!
Their "what's new" link in the beta's About window doesn't track with the beta release cycle. There's no revision listed, so I think the notes are for 73.0b1 still? At any rate, there's no mention of any security fixes.
https://www.mozilla.org/en-US/firefox/73.0beta/releasenotes/
Their developer edition "What's new" page seems more about marketing upcoming changes before they land in the mainline release than anything else.
I'd like to assume they're always on top of getting the same fixes into developer versions at the same time, but since they don't actually tell us anywhere I always feel like I have to check.
I did find these changes in 72 which look related to the bug:
https://hg.mozilla.org/releases/mozilla-release/rev/8260da04...
And poking at one of those referenced files in the beta channel looks like it has the same changes:
https://hg.mozilla.org/releases/mozilla-beta/file/tip/js/src...
So I think we're good on beta channel?
I assume some research into IonJIT will be done to see where it was introduced but by the sounds of what it does it could have been long ago.
Also, while I have you, please stop using HN for ideological battle—you've been doing a lot of that as well, and it destroys what this site is for (https://news.ycombinator.com/newsguidelines.html), regardless of which ideology you favor or disfavor.
Also, can you please not systematically delete comments? Deletion is for things that shouldn't have been posted in the first place. Deleting more than half of what you post is not an intended use of the threads.
Isn't this the same company that was just being roasted for having spyware installed in Samsung phones?
Alternately, who knows whether they found this exploit a while back and only went public once they discovered someone else was using it?