"JJ" <
jj4p...@vfemail.net> wrote
| Either way, the fact that the scripting engine is also used by Windows
| Scripting Host which are still quite widely used to administer systems -
| especially servers, and not just used by MSIE, I think Microsoft will
| provide a patch for it.
I doubt that's true, though I'm not certain. My
understanding is that wscript.exe is the interpreter
for Windows scripting. IE probably has its own.
According to the articles I find, the bug is as yet
undescribed but is said to be similar to a recent Firefox
bug. That bug is related to their WebAssembly "JIT
compiler" monkey business, which has already had
problems in the past. But that won't stop them because
the browser makers are in a race to be the fastest at
handling several MB of javascript linked into a webpage.
I'm guessing those kinds
of bugs are only going to get worse as they try to
get webpage scripting as close as possible to compiled
software.
On the bright side, it seems to be possible to bypass
the JIT compiler in FF by setting all prefs with
"baselinejit" or "ion" to false.
The question, then, is how long has IE had JIT
compiling. Probably it can't be disabled in IE. But
does it date back a ways or is it only in IE 11? I
don't know and they may not tell us. (That's another
reason not to suspect a wscript tie-in. WScript hasn't
changed for years. Trying to pull off scam compiling
with browser javascript is a relatively new idea.)
But what kind of nut is going online with IE? People
using Win10 can now use Edg[Chrome] if they have IE
rendering issues with particular sites. People using
older systems can never have a fully up-to-date
version of IE. That was demonstrated with last week's
crypt32 bug. It's not a problem pre-Win10 because
IE doesn't update crypt32. The halfway tie-in with
the system has been a fatal flaw with IE ever since
IE4 with Active Desktop. No one should ever have been
using it for online browsing.
(Interestingly, the vulnerability last week was with elliptical
curve cryptography, exactly the thing that obiwan was
saying in the VB group would be one of the advancements
leaving behind XP eventually, in terms of security. :)