-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
>>>> On 12/6/19 3:16 am, Holger Levsen wrote: >>>>> On Wed, Jun 12, 2019 at 03:05:13AM +1000, Andrew McGlashan >>>>> wrote: >>>>>> Exploiting the flaws needs malicious code to be running >>>>>> on your box. If you are in total control over all VMs >>>>>> and processes on the box, then you should be good. >>>>> do you use a webbrowser with javascript enabled? >>>> Good point, yes that is another risk. > Actually though, if you update your browser to lessen the > granularity of time that the exploits require, it might not be an > issue. So, don't run an out of date browser.... is that enough? It doesn't have to be JavaScript, it can be ANY scripting. When it comes to an updated browser, the exploit relies upon very precise timing differences between operations -- if the browser won't report timing with enough precision, then the exploit cannot work reliably if at all (probably not at all). Now as for TB, well, one would hope (I don't now the answer), that they too have implemented the same fixes that Mozilla made for Firefox to thwart the success of an exploit as well, ie have timing being less granular to be able to perform the exploit. Anyway, if the CPU microcode can be attained for the older CPUs, then the licensing issue with Debian providing it is no longer a concern (I believe). Refer https://01.org/mcu-path-license-2018 Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQkrpQAKCRCoFmvLt+/i +zHAAP4nK5G7HuNv+YzJBjb0aU4e06faITqYO4/pVxARNed8BQD/ZygkaIizLAte 0MuzlcPSQSjN04zlTUo9gxqD18ttbAE= =21rJ -----END PGP SIGNATURE-----