Tag Archives: Spectre

Chrome’s new Site Isolation feature protects users from the Spectre vulnerability

14 July 2018

Spectre

Spectre

A new variant Spectre V1.1 (1) was published on July, 10 2018 by Vladimir Kiriansky and Carl Waldspurger. The vulnerability is tracked in CVE-2018-3693 (2). The good news is that the CVSS V3 score is 5.6 (Medium) with attack vector Local.

As with the original Spectre vulnerability CVE-2017-5753 (3) published in January 2018 the greatest risk for business users and consumers bears in malicious websites weaponized with drive-by downloads or viruses (4) using the Spectre POC code.

The virus issue is easy to mitigate. The inbuilt auto-update feature of anti-malware solutions ensures that the latest pattern updates are available within few hours after a virus shows up in the wild.

But the internet issue is much harder to solve, in particular for consumers and SME. Fortunately, Goggle announced on July 11, 2018 a new feature Site Isolation for the Chrome browser that mitigates the risk borne from the Spectre vulnerability.

Chrome is based on a multi-process architecture. Different tabs are rendered by different renderer processes. With site isolation enabled, cross-site iframes are rendered in different processes than the parent frame and data exchange between the parent and the iframe processes is blocked. For a technical overview see Charlie Reis’s post ‘Mitigating Spectre with Site Isolation in Chrome’ (5). Further details are available from the Chromium Projects (6).

Site Isolation is available since Chrome 67. Input chrome://flags/#enable-site-per-process to check if the feature is enabled:

Chromium Strict Site Isolation Feature

Chromium Strict Site Isolation Feature

If you use an older version of Chrome Site Isolation is the best opportunity to update to the latest version.

Have a great weekend.

  1. Beltov M. CVE-2018-3693: New Spectre 1.1 Vulnerability Emerges [Internet]. SensorsTechForum. 2018 [cited 2018 Jul 14]. Available from: https://sensorstechforum.com/cve-2018-3693-new-spectre-1-1-vulnerability-emerges/
  2. CVE-2018-3693 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-3693
  3. CVE-2017-5753 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2017-5753
  4. FortiGuard SE Team. Meltdown/Spectre Update [Internet]. Fortinet Blog. 2018 [cited 2018 Jul 14]. Available from: https://www.fortinet.com/blog/threat-research/the-exponential-growth-of-detected-malware-targeted-at-meltdown-and-spectre.html
  5. Reis C. Mitigating Spectre with Site Isolation in Chrome [Internet]. Google Online Security Blog. 2018 [cited 2018 Jul 14]. Available from: https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
  6. The Chromium Projects. Site Isolation – The Chromium Projects [Internet]. [cited 2018 Jul 14]. Available from: https://www.chromium.org/Home/chromium-security/site-isolation

Spectre and Meltdown – No need to enter Panic Mode

7 January 2018

Spectre Icon

Spectre

When I read about Meltdown and Spectre in the Reuters Technology News early on Wednesday morning I digged directly somewhat deeper to find details about the access vectors and severity. From a quick view of the published material I concluded that these vulnerabilities were only locally exploitable and would have medium to high impact. No need to panic.

Media coverage was very high the next morning. Even the German local radio stations brought details about Spectre and Meltdown in the news, although there was no ground for public panic.

The following table shows the Meltdown and Spectre vulnerability details:

Meltdown and Spectre Vulnerability Details, CVSS V3 Metrics

Meltdown and Spectre Vulnerability Details, CVSS V3 Metrics

Sources: [1] NIST NVD, [2] RedHat Customer Portal[3] NIST NVD
Abbreviation list: AV: Access Vector, AC: Access Complexity, PR: Privileges Required, UI: User Interaction, C: Confidentiality, I: Integrity, A: Avaliability

To exploit these vulnerabilities an attacker must have either local access to a system on your network (Access Vector Local) or access to your local network (Access Vector Adjacent Network).

But why should an attacker, who got access to a system on your network, exploit e.g. Meltdown to extract passwords from the memory of a process? The access complexity is high; thus, the likelihood of early detection goes up.

We can expect that cyber criminals don’t behave irrationally. They choose the attack method with low chance of detection. And recent publications suggest this:

According to the Ponemon 2017 Cost of Data Breach Study the Mean Time to Identify (MTTI) a data breach in 2016 was 191 days, down from 201 days in 2015. If cyber criminals would behave irrationally, the MTTI would be much shorter.

Thus, there is no need for panic. Just apply the latest patches and check the performance of critical systems.

Have a great week.