Saturday , 23 June 2018
Home >> S >> Security >> Browser makers build bulwarks to stump Spectre attacks

Browser makers build bulwarks to stump Spectre attacks

Amid the panicked response this week to the news of significant, though not-yet-exploited, vulnerabilities in the vast bulk of the world’s microprocessors, it went almost unnoticed that most browser makers responded by updating their wares in the hope of fending off possible web-based attacks.

The Google-driven revelations – it was members of the search firm’s Project Zero security team who identified the multiple flaws in processors designed by Intel, AMD and ARM – were to go public next week, on Jan. 9, this month’s Patch Tuesday. At that time, a coordinated effort by multiple vendors, from OS developers to silicon makers, was to debut with patches to protect, as best could be done without replacing the CPU itself, systems against flaws grouped under the umbrella terms of Meltdown and Spectre. That plan went out the window when leaks started to circulate earlier this week.

While the most important fixes distributed so far came from chip makers and operating system vendors, browser developers also updated their applications. That’s because Spectre could be leveraged by criminals using JavaScript attack code posted on hacker-run or compromised sites.

According to a group of independent and academic researchers, “Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code.” The researchers also wrote a proof-of-concept that demonstrated how an attacker could use JavaScript to read the address space of a Chrome process – in other words, an open tab – to harvest, say, site credentials that had just been entered.

==[ Click Here 1X ] [ Close ]==