Remote execution vulnerabilities happen in JavaScriptCore. Tech-savvy won’t save you, all it takes is some malicious ad code or some hacked server providing malicious JS (or media files, etc. etc.)
Are there any proof-of-concept exploits for these issues anywhere that people could try out for themselves?
I think it would go a long way to convincing people if you could for example visit a website that eg. changes your desktop background when you visit it, to show how dangerous it is to run unpatched systems.
There are so many documented vulnerabilities that only apply to certain scenarios, that people (myself included) just think, "Hey, that sounds very theoretical, I don't think it applies in my case"
I've been asking every chance I get whether these security issues affecting unsupported operating systems are actually being exploited in the wild. Three times I've asked, yet so far, no one has shown any proof whatsoever. Add to that proof of Spectre and Meltdown drive-by exploitation in the wild, today.
While I do not condone the use of an insecure version of the OS, herd immunity is an underrated factor. Unless you're targeted, malware developers don't spend too much time on 0.5% market share, just like web developers don't optimise for unknown browsers.
Despite lots and lots of POCs, I haven't seen attackers use spectre in the wild yet. Maybe sophisticated actors are using it but they haven't been caught yet, or more likely they just use more traditional and reliable ways to get info leaks. But if traditional info leaks dwindle, they may turn to speculative execution attacks.
The level of access required to make Spectre work, basically shoehorning microcode into the CPU, means that you'd already have some deep hooks in the box anyway. Easier to use other methods at that point.
No. That’s the point. The burden of proof isn’t on anyone to disprove your untestable theory about market penetration (although in the case of JS vulnerabilities your premise is completely baseless anyway).
That’s like saying “you can’t get cancer from smoking if you immediately drink a herbal tea after every cigarette because of it’s mystical healing properties. Prove me wrong.”
The claim is other people saying "don't use an old OS/mitigations turned off because of drive-by malware."
I am the one asking for proof of this. I know the vulnerability is real, but is there malware on the web, right now, that I might chance upon and risk my data?
I don't think it's untestable. All you need is a counterexample or two to prove it incorrect.
Unless your proposition is that there are groups exploiting minority unsupported OSes but that they all remain successfully undiscovered, like Russell's teapot[0].
But as others point out, there actually is at least one known counterexample - WannaCry/EternalBlue.
I think you're right. If the vulnerability is there and we know about it, it should be straightforward to write a proof-of-concept that anyone on a vulnerable system can experience for themselves.
e.g. If a JavascriptCore vulnerability allows RCE on a Mac running whatever old version, write something to exploit it and execute the "say" command on that Mac, so anyone running that version can go to that webpage and literally see "wow this is a real exploit that actually works and anyone can abuse".
I'd love to see that. Kind of like the XSS script alert triggers, stuff where you can just paste a bit of code and prove that it -is- exploitable, without it actually doing anything harmful.
AFAIK there is a proof of concept for Spectre or another one of those speculative bugs, but it's academic, so not actually malware on a shady website that tries to steal my bitcoin.
Well, it hasn't happened for quite a few years, but it was quite common years ago to get drive by ad malware on up to date systems even. It's the main reason I started turning off JavaScript, and later using ad blockers. I can't imagine it's impossible today.
With Sepctre mitigations rolling out in under a month to almost all PCs, of course there is less incentive to build an exploit. But we know how it was when 90% of PCs were unpatched XP boxes.
I wonder if they are actually possible. Remote code execution in the javascript engine does sound dangerous, but then you also have to get past address space randomisation, and then you need another exploit to escape the sandbox...
https://nvd.nist.gov/vuln/detail/CVE-2019-8601
Remote execution vulnerabilities happen in JavaScriptCore. Tech-savvy won’t save you, all it takes is some malicious ad code or some hacked server providing malicious JS (or media files, etc. etc.)