Browser makers move to mitigate risk of Spectre browser attacks
Apple has confirmed that it has already pushed out security updates for iOS, macOS and tvOS that mitigate the danger of users being affected by Meltdown attacks. (watchOS did not require mitigation.)
The updates were released in early December, and apparently there is no measurable reduction in the performance of macOS and iOS due to the implementation of the mitigations.
But, when it comes to reducing the risk of Spectre attacks, updates are yet to be released.
“Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or ‘bounds check bypass,’ and CVE-2017-5715 or ‘branch target injection.’ These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call,” the company explained.
“Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.”
They expect that the upcoming Safari mitigations will have little impact on computer speeds, and are assuring users that they “continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”
Firefox, Google, Microsoft
Other browser makers have also pushed out or announced updates that mitigate the risk of Spectre attacks through the browser.
“Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself,” Mozilla noted.
“Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox.”
Google says that the current stable versions of Chrome (Chrome 63) include an optional feature called Site Isolation which can be enabled to provide Meltdown and Spectre mitigation by isolating websites into separate address spaces.
“Chrome’s JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack. Additionally, the SharedArrayBuffer feature is being disabled by default. The mitigations may incur a performance penalty,” the company added.
Microsoft has released updates for Internet Explorer and Edge on Wednesday.
Mitigation guidance
US-CERT has offered guidance on how to minimize and/or remove the danger of being targeted by the two attacks, and provided links to updates pushed out by various vendors.
The organization still says that “due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”
The Computer Emergency Response Team Coordination Center (CERT/CC) initially noted that a solution for removing all risk from these attacks is to replace the vulnerable CPU hardware. This pronouncement has since been removed from the vulnerability note.