Tag Archives: Chrome

Chrome’s new Site Isolation feature protects users from the Spectre vulnerability

14 July 2018

Spectre

Spectre

A new variant Spectre V1.1 (1) was published on July, 10 2018 by Vladimir Kiriansky and Carl Waldspurger. The vulnerability is tracked in CVE-2018-3693 (2). The good news is that the CVSS V3 score is 5.6 (Medium) with attack vector Local.

As with the original Spectre vulnerability CVE-2017-5753 (3) published in January 2018 the greatest risk for business users and consumers bears in malicious websites weaponized with drive-by downloads or viruses (4) using the Spectre POC code.

The virus issue is easy to mitigate. The inbuilt auto-update feature of anti-malware solutions ensures that the latest pattern updates are available within few hours after a virus shows up in the wild.

But the internet issue is much harder to solve, in particular for consumers and SME. Fortunately, Goggle announced on July 11, 2018 a new feature Site Isolation for the Chrome browser that mitigates the risk borne from the Spectre vulnerability.

Chrome is based on a multi-process architecture. Different tabs are rendered by different renderer processes. With site isolation enabled, cross-site iframes are rendered in different processes than the parent frame and data exchange between the parent and the iframe processes is blocked. For a technical overview see Charlie Reis’s post ‘Mitigating Spectre with Site Isolation in Chrome’ (5). Further details are available from the Chromium Projects (6).

Site Isolation is available since Chrome 67. Input chrome://flags/#enable-site-per-process to check if the feature is enabled:

Chromium Strict Site Isolation Feature

Chromium Strict Site Isolation Feature

If you use an older version of Chrome Site Isolation is the best opportunity to update to the latest version.

Have a great weekend.


  1. Beltov M. CVE-2018-3693: New Spectre 1.1 Vulnerability Emerges [Internet]. SensorsTechForum. 2018 [cited 2018 Jul 14]. Available from: https://sensorstechforum.com/cve-2018-3693-new-spectre-1-1-vulnerability-emerges/
  2. CVE-2018-3693 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-3693
  3. CVE-2017-5753 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2017-5753
  4. FortiGuard SE Team. Meltdown/Spectre Update [Internet]. Fortinet Blog. 2018 [cited 2018 Jul 14]. Available from: https://www.fortinet.com/blog/threat-research/the-exponential-growth-of-detected-malware-targeted-at-meltdown-and-spectre.html
  5. Reis C. Mitigating Spectre with Site Isolation in Chrome [Internet]. Google Online Security Blog. 2018 [cited 2018 Jul 14]. Available from: https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
  6. The Chromium Projects. Site Isolation – The Chromium Projects [Internet]. [cited 2018 Jul 14]. Available from: https://www.chromium.org/Home/chromium-security/site-isolation
Advertisements

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report.  Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.