[bawolff]

There is no indication yet that this is due to complex web standards. It could be, but we literally dont know what the bug is yet.

[hdjjhhvvhga]

But we do know that it is Javascript-related, so please correct me if I'm wrong but disabling JS for all websites except the ones you really, really trust and need should offer long-term general protection against such 0-days in most cases.

[bawolff]

It certainly reduces attack surface. JIT based js engines do seem like a big attack surface, although certainly not the only one.

I'm not sure i would call js part of "complex new web standards". In its original form it was introduced way back in 1995.

[paxys]

There are lots of 0day exploits outside of the JavaScript engine. Going down this path, it would be safest to not use the web at all, or really just not own a computer.

[TheDong]

My doctor told me I should stop smoking.

There are a lot of ways to die outside of lung cancer though. Going down this path, it would be safest to not drink alcohol, not drive a car, or really just not live life at all.

My point here is that there are some things that have outsized impacts and can be avoided in isolation. Smoking is like that for health.

Javascript, ActiveX, java web applets, flash, any other way of executing arbitrary turing-complete remote code on my local machine directly, those are all vastly more likely to lead to CVEs than HTML parsers, image parsers, and other functionalities of browsers.

It's perfectly possible to identity and eliminate larger attack surfaces without slippery-sloping yourself into not being able to take smaller risks.

[hdjjhhvvhga]

No, I think it's reductio ad absurdum; what I mean is reasonable means of reducing risks for people who don't use that much web apps and consume mostly text such as news etc.

[stjohnswarts]

That does close the window of attack to a much smaller area so yeah that improves your security statistically.