50% of Websites Using WebAssembly Apply It for Malicious Purposes

[amd6502]

This story was showed up in slashdot today; the conclusions don't surpise too much.

Recent Study Estimates That 50% of Websites Using WebAssembly Apply It for Malicious Purposes

A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites execute WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation.

www.infoq.com

 

[VirtualLarry]

Uhm, WTF is "WebAssembly"? Assembly code for the web? Does it execute in some sort of virtual machine? Is this standard on any common web browser? Why have I never heard of this before???

(I used to code x86 16/32-bit ASM back in the 386 days, so I know a little bit about this. I don't expect that this Wasm would translate directly into native opcodes, right? It must execute in a virtual machine, ala JVM or something, right?)

 

[13Gigatons]

Can it be disabled?

 

[amd6502]

Uhm, WTF is "WebAssembly"? Assembly code for the web? Does it execute in some sort of virtual machine? Is this standard on any common web browser? Why have I never heard of this before???

(I used to code x86 16/32-bit ASM back in the 386 days, so I know a little bit about this. I don't expect that this Wasm would translate directly into native opcodes, right? It must execute in a virtual machine, ala JVM or something, right?)

WebAssembly is a very bad idea. But yes the originators and proponents say that it is very high performance so it should be a "good" replacement for java.

Can it be disabled?

That's actually a really good question. I don't think it's easy to disable it in firefox. Not sure about chrome either but my gues is it's difficult.

Some browsers like palemoon don't even support it so that's one way to avoid it. Older versions of FF like versions 50-something have wasm disabled by default but are also not supported/updated anymore.

If anybody can do some testing and research on this question that would be great to hear about. So far I'm at the googling stage (found https://github.com/stevespringett/disable-webassembly).

I've also searched the about:config for "wasm" and found a handful of options, none of which disable wasm .

 

[13Gigatons]

Some browsers like palemoon don't even support it

Palemoon....yes!

 

[JimKiler]

WebAssembly is a very bad idea. But yes the originators and proponents say that it is very high performance so it should be a "good" replacement for java.



That's actually a really good question. I don't think it's easy to disable it in firefox. Not sure about chrome either but my gues is it's difficult.

Some browsers like palemoon don't even support it so that's one way to avoid it. Older versions of FF like versions 50-something have wasm disabled by default but are also not supported/updated anymore.

If anybody can do some testing and research on this question that would be great to hear about. So far I'm at the googling stage (found https://github.com/stevespringett/disable-webassembly).

I've also searched the about:config for "wasm" and found a handful of options, none of which disable wasm .

So should we go back to using Flash, LOL?