zlacker

[parent] [thread] 3 comments
1. derf_+(OP)[view] [source] 2026-02-02 04:24:10
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
replies(1): >>mmis10+Y1
2. mmis10+Y1[view] [source] 2026-02-02 04:44:55
>>derf_+(OP)
Like… browser? Or anything with script loading capabilities like script engine in games. Executing remote script is almost unavoidable nowadays.

And there isn't really a way to confirm if it is configured in a secure way.

You either trust the developer or not.

replies(2): >>einr+p5 >>g-b-r+ia
◧◩
3. einr+p5[view] [source] [discussion] 2026-02-02 05:19:36
>>mmis10+Y1
At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.
◧◩
4. g-b-r+ia[view] [source] [discussion] 2026-02-02 06:19:14
>>mmis10+Y1
First, it wasn't even the developer who compromised people, here; second, scripts in most cases are orders of magnitude less dangerous than a windows executable.

And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.

[go to top]