and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.

I am almost willing to bet $$$ that they would be fine if they had JS disabled.

That also reminds me of something I remember reading about many years ago on an RE site: "You hear about all the bugs they fix in each update. You don't hear about all the new ones they introduced."

> I am almost willing to bet $$$ that they would be fine if they had JS disabled.

I am fully willing to bet $$$$ that they would be fine if they had air gapped their computer.

Unfortunately, disabling JS is only marginally more practical than completely foregoing access to the web; and it is only going to get worse as more sites and services rely on JS.

The real solution, which is perfectly practical and realistic, is to install umatrix and put it into strict mode, then whitelist domains that you trust and use often.

Give it a week and you’ll find yourself very rarely having to make policy changes. We spend most of our time on just a handful of sites.

https://github.com/gorhill/uMatrix https://news.ycombinator.com/item?id=24532973