undefined | Better HN

0 points0cf8612b2e1e2y ago0 comments

Moving goal posts. I guess all of this xz stuff is overblown because we do not have a documented case where it was used? Just research about something that might happen does not count, I guess.

Here is a WebHID attack in Chrome with a 9.8 severity (https://www.cve.news/cve-2023-1529/)

0 comments

1 comments · 1 top-level

modeless2y ago

I moved nothing. You didn't read my original comment that clearly specified "real world attack". Your second link doesn't qualify either. Besides, if you can connect a malicious USB device to the user's computer you've already won. There are a million ways to exploit that which have nothing to do with Chrome.

The xz thing was a big deal precisely because it was a real world attack. It wasn't something created by researchers as a proof of concept and disclosed to vendors. It was discovered in the wild, luckily before it caused any damage, but it was absolutely a real world attack.

j / k navigate · click thread line to collapse