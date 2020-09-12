Security Leftovers Mozilla Attack & Defense: Inspecting Just-in-Time Compiled JavaScript The security implications of Just-in-Time (JIT) Compilers in browsers have been getting attention for the past decade and the references to more recent resources is too great to enumerate. While it’s not the only class of flaw in a browser, it is a common one; and diving deeply into it has a higher barrier to entry than, say, UXSS injection in the UI. This post is about lowering that barrier to entry. If you want to understand what is happening under the hood in the JIT engine, you can read the source. But that’s kind of a tall order given that the folder js/ contains 500,000+ lines of code. Sometimes it’s easier to treat a target as a black box until you find something you want to dig into deeper. To aid in that endeavor, we’ve landed a feature in the js shell that allows you to get the assembly output of a Javascript function the JIT has processed. Disassembly is supported with the zydis disassembly library (our in-tree version). To use the new feature; you’ll need to run the js interpreter. You can download the jsshell for any Nightly version of Firefox from our FTP server – for example here’s the latest Linux x64 jsshell. Helpfully, these links always point to the latest version available, historical versions can also be downloaded.

Security updates for Tuesday Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).

Google Launches Confidential VMs, GKE Nodes, to Encrypt Data In-Use [Ed: The Linux Foundation is paying this publisher to participate in Google PR ploy, portraying servers controlled by Google as some sort of privacy magic] Google is hoping to make confidential computing — the encryption of data in-use — as easy as the click of a button for cloud native users. To this end, the company has released into general availability Confidential Virtual Machines (VMs), unveiled as a beta in July, as well as beta launched Google Kubernetes Engine (GKE) Confidential Nodes.

House approves bill to secure internet-connected federal devices against cyber threats The legislation would also require private sector groups providing devices to the federal government to notify agencies if the [Internet]-connected device has a vulnerability that could leave the government open to attacks. The bill is sponsored in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas) and more than two dozen others.

Microsoft ends support for Office 2010: What you can do If the whole Microsoft thing is getting too complicated or too expensive for your pocketbook, we've reviewed the major alternative programs to Office, including Google's online application, LibreOffice, FreeOffice and more. Because they're all free, there's little risk to trying them.

Debian Developers' Leftovers Raphaël Hertzog: Freexian’s report about Debian Long Term Support, August 2020 Like each month, here comes a report about the work of paid contributors to Debian LTS.

Molly de Blanc: “Actions, Inactions, and Consequences: Doctrine of Doing and Allowing” W. Quinn There are a lot of interesting and valid things to say about the philosophy and actual arguments of the “Actions, Inactions, and Consequences: Doctrine of Doing and Allowing” by Warren Quinn. Unfortunately for me, none of them are things I feel particularly inspired by. I’m much more attracted to the many things implied in this paper. Among them are the role of social responsibility in making moral decisions. [...] One of the things I maintain is that we cannot be the best versions of ourselves because we are not living in societies that value our best selves. We survive capitalism. We negotiate climate change. We make decisions to trade the ideal for the functional. For me, this frequently means I click through terms of service, agree to surveillance, and partake in the use and proliferation of oppressive technology. I also buy an iced coffee that comes in a single use plastic cup; I shop at the store with questionable labor practices; I use Facebook. But also, I don’t give money to panhandlers. I see suffering and I let it pass. I do not get involved or take action in many situations because I have a pass to not. These things make society work as it is, and it makes me work within society.

