undefined | Better HN

0 pointsasadotzler2y ago0 comments

drive-by system takeover isn't on your threat list?

0 comments

> drive-by system takeover isn't on your threat list?

How would that "drive-by system takeover" happen?

AFAIK, Windows 7 came with its network firewall enabled by default, so most services wouldn't be exposed to the network. And that network is often a local network, with another firewall separating it from the rest of the Internet. For many users, the only exposed attack surface would be the web browser itself.

ocdtrekkie2y ago

Firefox is I believe the last browser here to announce dropping Windows 7, but a ton of web-connected OS features in Windows 7 use Internet Explorer to load content, and dangerously outdated IE at that. At least with Windows 8, also a bad idea, many of those connected features use the legacy Edge engine which is (marginally) better.

Dalewyn2y ago

Nope. The machine's behind a router and its own firewall. Most JavaShit is disabled in the web browsers. Why would a drive-by attack be in my threat model?

ocdtrekkie2y ago

There's a lot more ways to exploit a Windows OS than JavaScript if you load websites at all. We won't even get into "if you ever read an email or open a document".

Have you ever seen things in a different font?

Dalewyn2y ago

Sure, fonts local to my machine. Remote fonts can go to hell, and I've likewise got cookies and JavaShit all blocked as emails go because WTF does email need them for?

Seriously, my threat model doesn't include anything that updates claim to guard against. I'm not a fucking enterprise server, nor does any government specifically want my shit. Try arguing for me to update my router before talking about the virtues of Windows updates, at least that might alleviate random port scans and the like which are in my threat model.

I'm far more likely to get pwned by some service getting hacked and leaking my shit rather than /me/ getting hacked. People who scream at me that EOL Windows is dangerous can go pound sand, because they have no clue WTF they're crying about.

shadowgovt2y ago

Does disabling JavaScript also disable loading iframes? IIRC it does not, but my memory's hazy on the topic.

This exploit allows arbitrary code execution by requesting too big a height for an iframe, which corrupts a GDI data structure.

https://www.cvedetails.com/cve/CVE-2011-5046/

1 more reply

j / k navigate · click thread line to collapse

0 comments

cesarb2y ago

> drive-by system takeover isn't on your threat list?

How would that "drive-by system takeover" happen?

ocdtrekkie2y ago

Dalewyn2y ago

Nope. The machine's behind a router and its own firewall. Most JavaShit is disabled in the web browsers. Why would a drive-by attack be in my threat model?

ocdtrekkie2y ago

There's a lot more ways to exploit a Windows OS than JavaScript if you load websites at all. We won't even get into "if you ever read an email or open a document".

Have you ever seen things in a different font?

Dalewyn2y ago

Sure, fonts local to my machine. Remote fonts can go to hell, and I've likewise got cookies and JavaShit all blocked as emails go because WTF does email need them for?

shadowgovt2y ago

Does disabling JavaScript also disable loading iframes? IIRC it does not, but my memory's hazy on the topic.

This exploit allows arbitrary code execution by requesting too big a height for an iframe, which corrupts a GDI data structure.

https://www.cvedetails.com/cve/CVE-2011-5046/

1 more reply

j / k navigate · click thread line to collapse