[retrac]

https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability Long story short: Windows library routines for handling an obscure, obsolete image format had a parser flaw. Simply rendering an appropriately crafted image via the standard Windows APIs -- whether in a web browser, file explorer, file preview, word processor, anywhere -- resulted in kernel-level arbitrary code execution.

Now, we've gotten a bit smarter about this sort of thing since. Both at a high level architecturally (don't process image files in the kernel) and at a lower level (use a language that takes measures to constrain its buffers). But the basic scenario hasn't been entirely eliminated. There could be a parser bug somewhere in your web browser for example that allows a properly crafted input to hijack the browser process.

[PoignardAzur]

> There could be a parser bug somewhere in your web browser for example that allows a properly crafted input to hijack the browser process.

Bit of a caveat: Chromium and Firefox are probably some of the most hardened software programs in the world (for other browsers, all bets are off).

Chromium distributes its logic over multiple processes per tab, so that even if you eg find a zero-day in V8, you still can't use it to get arbitrary file access without a sandbox escape. Last I checked, Firefox was getting there. Also, Firefox compiles some parsing and image processing libraries to WebAssembly for another layer of sandboxing (and to protect against ROP exploits), and increasingly uses Rust for sensitive tasks.

That's not to say they're safe, but I don't think they're the biggest source of exploits.

[alasdair_]

> Bit of a caveat: Chromium and Firefox are probably some of the most hardened software programs in the world (for other browsers, all bets are off).

There is a certain irony in the idea that people should rely on a Google product to avoid having their privacy compromised.

[choko]

I guess with Google, at least you know and give consent to the privacy "invasion" when you use their products.

[alasdair_]

> I guess with Google, at least you know and give consent to the privacy "invasion" when you use their products.

Google tracks you and adds things to your profile when you explicitly choose incognito mode to avoid the privacy invasion. This doesn't seem like informed consent to me.

[bombcar]

Which is why the only safe way to operate is assume anything that is susceptible to outside data is already compromised - and so run them in sandboxes.

[junon]

You should read the writeup. This was run in a sandbox. Sandboxes are not silver bullets and too can have bugs.

[petra]

The tech is the easy part: iOS/Android have the best security teams in the world, and an unlimited budget, and sandboxing is an old, proven tech.

I guess that the politics here are the real barrier.

[pjmlp]

Not only politics, the reason why some languages and OSes rule, is that real progress only happens one generation at a time, to put it in a more friendly wording.

[oblio]

"Science progresses, one funeral at a time."

https://en.wikipedia.org/wiki/Planck%27s_principle

As a general principle in life, it's quite frightening considering ever increasing life spans.

[viktorcode]

That's just a mitigation for tens of millions of lines of code written in C / C++.

[thaumasiotes]

That's not a solution. You're just piping the outside data into your sandbox; it can have bugs too.

[Scoundreller]

This is why I run a 1-task only Windows VM inside a Linux VM on a Mac. Ain’t nobody ripping through x3 0-days for my chats.

[saagarjha]

If you're a targeted journalist, they'll go through more than three to get you. Full chains are fairly long these days.

[Jerrrry]

lmao bro does all that in front of his IoT Samsung toaster, that has a speaker...speakers are microphones.

[birdyrooster]

Macwinux

[bryanrasmussen]

There's no such thing as a perfect solution, only solutions that improve a bad situation.

[thaumasiotes]

I'm not so much saying it's a bad idea as that what my parent comment described was a logical contradiction. It isn't possible to run "anything that is susceptible to outside data" in sandboxes, because that makes the sandbox susceptible to outside data. If you're genuinely assuming that anything susceptible is already compromised, then the sandbox is accomplishing literally nothing.

[Bombthecat]

I always remember a quote from a sci fi I read about the "multi planet Internet" there.

It was layer upon layer upon layer of protocols and software.

Because it wasn't possible to remove old layers (because some satellites or wormholes or whatever would stop working.)

So, it was super easy to hack...and sending spam. Well you will get killed for that though.

[bmsleight_]

Would be interested in the name of he book ?

[janstice]

It sounds like Vernor Vinge’s A Fire Upon The Deep (& sequels), well worth finding.

[fsflover]

It depends on which sandbox you are using. In Qubes OS on desktop, you rely on hardware virtualization, which is virtually unbreakable.

[tremon]

I thought Spectre and Meltdown also allowed host data leakage from a compromised guest?

[fsflover]

Yes, microcode vulnerabilities is a problem indeed. Hopefully Qubes Air (next version 5.0) will compartmentalize even that by using separate devices as qubes: https://www.qubes-os.org/news/2018/01/22/qubes-air/.

[antihero]

I wish OSs would just can support for legacy stuff nobody uses and make it an explicit install for the 1% of people who need it.

[eli]

Each feature has a different 1% who use it