I remember getting a new version of (now classic) NES emulator Nesticle and finding a new menu option simply called "Pentium bug". Of course I had to try it out. Nothing happened. Literary nothing, because my whole system had of course freezed up...
I actually found an Intel Ice Lake bug (on a MacBook Air) like this, but unfortunately I could not claim a bounty since I wasn't the first. A number of people found it independently.
I don't think anyone found a way to trigger it via JavaScript but it was easy to reproduce for some reason via the JVM. AFAIK Intel never released exactly what it was, just a microcode update.
X64 has a horrifically complex legacy encoding and tons of extensions including many that are obsolete but still supported. It really lends itself to these kinds of bugs.
Every mature architecture including ARM/ARM64 has cruft, but X86/X64 is particularly bad.
Surely it's not possible to run untrusted arbitrary straight on the metal assembly from the browser? Or if so, the only via JS VM exploits that could be patched via browser updates, right?
Not having the ability to exploit machine metal level exploits via browser in a way that can't be patched via security updates seems like progress, even though it it's progress with a lot of caveats.
If I'm wrong, I'm reinstalling all my noscript extensions...
Of course, as a non-security guy, I'm still shocked that signed windows binaries can load unsigned dlls without any warnings - at least os x has some checks around this - so maybe I'm just naive
You don't need to run straight on the metal assembly to exploit processor bugs. In this particular case of the Pentium F00F bug, I admit it seems difficult to tease a JIT compiler to generate such an instruction as it is not in fact a legal x86 instruction according to the ISA. I wouldn't be confident in saying it is impossible though. I've seen weirder things done.
But speaking generally as I meant to in my earlier comment, nearly all privilege-escalating processor bugs which have followed have been remote exploitable via the browser's JavaScript JIT compiler. A quick google will get you prototype research implementations of Rowhammer, Spectre, and Meltdown which can be served for execution as script on a webpage and extract information from vulnerable clients.
Getting full control over the instructions a JIT will produce, which you would need to have it generate invalid instructions, would also let you take over the entire web content process. In this case you also get to lock up the process, which might be more desirable depending on your goals, but it's certainly a logic bug in the JIt (missing bounds check, overflow, etc.) rather than something like Rowhammer, where a JIT might lower your JavaScript for loop into a tight assembly loop that lets you do bad things to the hardware.
Well back in the days of java applets, running un-sandboxed was considered a "feature" of code-signed applets... and you could then do a loadLibrary of a bundled native .dll and go wild
Downloading something that makes your computer freeze up is not unthinkable today. Occasionally someone would post (here on HN) a link to a huge PDF on GitHub. As soon as I click it in Chrome on Linux (Windows doesn't seem vulnerable to this) the computer becomes so slow it's not even possible to close Chrome any more. And AFAIK I'm not alone: I already mentioned this here in the past and people confirmed.
Plenty of remote execution bugs found every year in major software that could lead to much bigger problems. Sure, this could lock up your computer, but the ActiveX program itself could actually send data out, just like what can be (and is frequently) done with RCE bugs.
