Category Archives: JavaScript

Vulnerability in Microsoft’s anti-malware software

All of Microsoft’s anti-malware software is based on a common core: MsMpEng, the Malware Protection service. That includes Microsoft Security Essentials, System Centre Endpoint Protection, and Windows Defender. If your PC is running Windows, there’s a good chance that MsMpEng is running as well.

Which is bad, because Google’s Project Zero just discovered a vulnerability in Microsoft’s anti-malware engine that has the potential to provide almost unlimited access to any computer running MsMpEng. The vulnerability can be exploited in various ways, including via specially-crafted email that can do its damage without even being opened.

Project Zero’s analysis includes a proof of concept, and shows that the vulnerable component of MsMpEng is nscript, which analyzes any file or activity that appears to be Javascript.

I just checked my Windows 8.1 test PC, and although Windows Defender is disabled, MpMpEng is running, describing itself as ‘Antimalware Service Executable’. On my Windows 7 test PC, I’ve installed Avast, which was supposed to have disabled Microsoft’s software; but again I see that MsMpEng is running.

If Windows Defender is disabled, why is MsMpEng running? If it’s disabled, is the computer still vulnerable to this exploit? I’d like to think that even though MsMpEng is running, it’s not actively analyzing file and network activity, in which case the vulnerability would be mitigated. But it’s difficult to know for sure.

In any case, Microsoft has issued an update, and since all of their various anti-malware offerings update themselves automatically, most Windows systems may already have the necessary fix in place. You can find out by checking your software’s ‘About’ information. For example, if you’re running Windows Defender for Windows 8.1, double-click the blue shield icon to open its interface, then click the small triangle next to Help and select About. In the About dialog, look for Engine Version; if it’s 1.1.13704.0 or later, it’s up to date.

Report from Ars Technica.

Firefox 46 released

It’s a major new revision for Firefox, so there are lots of cool new features and enhancements to discuss, so Mozilla actually announced the release on their main blog. Typical of Mozilla announcements, the version is never mentioned.

At least the announcement lists the changes: “improved look and feel for Linux users, a minor security improvement and additional updates for all Firefox users.” Not much there. Turning to the release notes, it looks like the minor security improvement is related to Javascript. Other changes include ten security fixes, and fixes for a few other bugs.

Since several security vulnerabilities are addressed in 46.0, anyone using Firefox should install the new version as soon as possible.

Big web performance boost expected with WebAssembly

Javascript is the universal programming language of the web. Almost all web sites use it to some extent, including this site (boot13). Although many users (including myself) use Noscript and similar systems to block Javascript when browsing unfamiliar sites, it’s difficult to use many popular sites without it. For example, I spend a lot of time using Google Analytics, and I’ve configured Noscript to allow JavaScript code to run on that site.

One of the problems with JavaScript is that it’s a scripted language. That means your web browser has to parse JavaScript code, one line at a time. This is a very slow process, and contributes to slow loading times on many major sites.

Various efforts to speed up JavaScript have come and gone, without much traction. Now, several major software developers have teamed up to try again. A new JavaScript assembler called WebAssembly (aka wasm) is under development by Mozilla, Microsoft, Google, and Apple. It’s too soon to know exactly when WebAssembly will start appearing in web browsers, but we’re hopeful that it will become the new standard when it does.