Discussion on Hacker News: Downfall Attacks | Hacker News
So yet another Intel speculative execution / microarchitectural state bug.
As always, for personal computers, the risk of this bug depends on whether you run untrusted code on your computer.
It is not yet stated whether this is exploitable from a web browser.
For servers, the possibilities are more obvious … although I did wonder about which VPS (VM) scenarios are vulnerable and which, if any, are not.
Which is practically always unless you also think that every program you run can have access to all your passwords (including root password) without any bad consequences.
That rather depends on one’s definition of “untrusted” but I don’t run untrusted code on my computer. If it were untrusted, I wouldn’t run it. Or if running it is unavoidable, I would run it on a dedicated computer.
As this bug is (assumed?) Intel-only, “apps” doesn’t really apply and phones should be safe. On desktop/laptop I’m not even running any containers for untrusted code except for …
So for my situation it becomes critical whether this can be exploited from within a web browser and even more specifically from within a web browser that is running inside a container (noting of course that there are multiple different container technologies that may or may not have different behaviour as far as this bug is concerned).
For bonus points: can this be exploited from within a standalone Java program? (because I do have one other computer that is dedicated to running an untrusted Java program)