Security News Some Spectre In-Browser Mitigations Can Be Defeated

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Some of the protections against the Spectre CPU vulnerability introduced in modern browsers can be defeated, security researchers revealed this week.

According to research published by Aleph Security on Tuesday, the company's researchers were able to put together proof-of-concept code that retrieves sensitive data from a browser's protected memory.

The browsers were running a version that received mitigations against such attacks, researchers said.

The Aleph team says their PoC bypassed Spectre mitigations and retrieved data from browsers such as Edge, Chrome, and Safari. They were not able to retrieve browser memory data from Firefox, mainly because of a different type of mitigation Mozilla had used for its browser.

Researchers bypass Spectre v1 in-browser protections

More precisely, researchers bypassed the in-browser mitigations introduced to fend off the Spectre v1 CPU vulnerability, the only one of the Meltdown and Spectre bugs that could be exploited via a web browser.

... ...
Edge, Chrome, Safari protections defeated

But Noam Hadad and Jonathan Afek, two security researchers with Aleph Security, said they were able to find a way around the index masking mitigation (1), data timing mitigations (3 & 4) and jittered timer outputs (5).


The two put together proof-of-concept code —also shared on GitHub— that defeats the above mitigations and retrieves data from a browser's protected memory —data that a malicious page should not be able to access under normal circumstances.
 
D

Deleted member 65228

But the article said that enabling the Chrome flag for Strict Site Isolation is a good mitigation for this.
It is.

Spectre exploitation requires the perpetrator to have code execution within the context of the affected process, and only memory for the affected process can be leaked back to the perpetrator.

The 'Strict Site Isolation' feature enforces usage of more processes as a form of isolation against Spectre exploitation attacks, which means in the event of Spectre exploitation (being formed via malicious JavaScript loaded locally by the browser from a malicious website, for example), you'd technically be safer. You'd 'technically be safer' because there's less potential data available for leak back to the perpetrator.
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
No. It is harvesting directly from the browser, it is not penetrating into the local system through this exploit. But the article said that enabling the Chrome flag for Strict Site Isolation is a good mitigation for this.

This feature is not on by default unfortunately. Maybe Google will enable this feature default later?
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This feature is not on by default unfortunately. Maybe Google will enable this feature default later?
If it doesn't break too many sites, and it doesn't hurt performance, then they usually make the new features into default.
For instance, I have a few of the Chrome flags enabled, and a certain banking site does not work. I never bothered to figure out which flag breaks the bank, I just use Edge if and when I need that particular website.
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
If it doesn't break too many sites, and it doesn't hurt performance, then they usually make the new features into default.
For instance, I have a few of the Chrome flags enabled, and a certain banking site does not work. I never bothered to figure out which flag breaks the bank, I just use Edge if and when I need that particular website.

Well, I guess the permanently fix have to be a new CPU that doesn't affect with Spectre.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top