
Holes in the Armour?
Though they didn't extend this to a browser based attack, the mere suggestion that it might be possible is troubling. We can already unwind ASLR in JavaScript, and now there's a hint that a file system might be abused too. Some out there will now be chipping away at this one too.
I fear that there might one day be an exploit out there that is hard to defeat without chopping off a load of functionality. I don't think that it's likely at the moment, but we're currently heading towards such a thing, not away from it.
I sense that the approach taken so far by the webby world is to consider any conceivable exploit to be fixable with software changes. This might turn out to be incorrect. If that does indeed happen, JavaScript and HTML5 suddenly become very bad ideas - Java and Flash plugins bad. And an awful lot of things break really badly. It's probably time someone started working on a Plan B.
If this does go wrong in a big way, the whole philosophy of client side execution of random JavaScript loaded from anywhere on the web would have to be reconsidered. We've had two previous goes at it - Java and Flash - and they didn't work out. Our third go, JavaScript, is clearly our best effort yet. If that does become a liability, we should take that as a hint that client side execution of random code from t'web is fundamentally a bad idea.
That would leave us with server side execution. That would be highly unpalatable. But it might be our only way forward.
Anyone willing to have XServer frames in a browser?