How Browser Vendors respond to fight the Spectre Vulnerability



The Spectre vulnerability affects modern microprocessors with speculative execution, and thus the data cache - programs that accept requests may be tricked into reading private data, consequently, can modify the state of the data cache.

While the exploit hasn't hit the world's biggest microprocessors in the wild, as it's almost unnoticed, most browser makers have responded by updating their software to fend off a possible attacks based on Spectre.

The exploit first spotted by Google's Project Zero security team who identified the multiple flaws in processors designed by Intel, AMD and ARM, though not-yet-exploited in the vast bulk of the world's microprocessors.

Spectre could easily be leveraged by criminals using JavaScript attack code posted on hacker-run or compromised sites, thus can also violate browser sandbox technology, by mounting them via portable JavaScript code.

The Google research team in a proof-of-concept demonstrated how an attacker could use JavaScript to read the address space of a Chrome process, via open tab, and also access site credentials that had just been opened.

Albeit, the most important fixes distributed so far have been from chip makers and operating system vendors, who have updated their applications.

Browser makers, including OS developers, are about now working on patches, as best as could be done without replacing the CPU, but effective against the flaws grouped under the umbrella terms of Meltdown and Spectre.

Google Chrome for Windows, macOS and Linux version 63 which debuted about a month ago, came with a new security technology, called "Site Isolation." Google has urged its customers to enable the feature - which is off by default in Chrome 63 - to effect better defence against Spectre attacks.

Also Google has promised more anti-Spectre defenses in Chrome 64, slated to debut in the week of January 21, with additional mitigations, and highlighted modifications to Chrome's JavaScript engine, V8.

Microsoft has equally issued updates for Internet Explorer (IE) and Edge for Windows 10, as well as IE patches for Windows 7 and Windows 8.1 this week.

The Microsoft updates can be downloaded in the form of the usual Security Monthly Quality Rollup for Windows 7/8.1 or the Security Only Quality Update for the same versions.

And for Firefox users, Mozilla has updated its browser to version 57.0.4 with the same two mitigations as other browser developers.

While Apple confirmed that the December updates to macOS and iOS introduced defensive measures to help defend off Meltdown, and the Spectre vulnerabilities. The company also promised to release an update for Safari on macOS and iOS in the coming days to mitigate the exploits.
Previous
Next Post »