hake

Meltdown/Spectre, JavaScript, web browsers and MBAE

Recommended Posts

With regard to Meltdown/Spectre and the now apparent role of JavaScript to execute Meltdown/Spectre exploits within web browsers, is MBAE able to identify and mitigate the behaviour of scripts run with JavaScript in the context of Meltdown/Spectre?

Share this post


Link to post
Share on other sites

MBAE does prevent script-based drive-by downloads. If that's the method of distribution of the Meltdown/Spectre payloads, then MBAE should block it.

 

Share this post


Link to post
Share on other sites

Much of my very modest understanding of the web browser situation has been gleaned from the articles via the following URLs: -
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://www.chromium.org/Home/chromium-security/ssca

I always block third party cookies with Firefox, Google Chrome and Opera 12.17.

Google Chrome has an experimental feature of Site Isolation, i.e. isolation of the code for each site being run in different processes. I have enabled this.

The browser developers are rapidly developing mitigations.  There are more to come on 23 January for both Google Chrome and Firefox.

With Firefox which I use for my banking, I use NoScript which allows only my bank's web site to use JavaScript and enforces use of JavaScript with secure pages only. There are other restrictions but as far as Meltdown/Spectre are concerned, the critical thing seems to be to isolate the web browsing session to my bank only.  Basically, I use Firefox only for accessing my bank account data.

Here is a browser check for Spectre: -
CAUTION: I have been made aware by others that Tencent apparently has a less than gleaming reputation with regard to its testing and web browser tools.
https://xlab.tencent.com/special/spectre/spectre_check.html
Firefox ESR 45.0.9, Comodo Dragon 33.1.0.0 (third party cookies blocked) and Opera 12.17 on my XP system (Jan 2018 Microsoft Windows XP security updates KB4056615 and KB4056941 installed) are all said by the check not to be vulnerable to Spectre.  The same goes for my up-to-date and patched Windows 7 SP1 64-bit systems with Firefox ESR 52.5.3 and Google Chrome 63.0.3239.132.

However, Steve Gibson's inspectre.exe (downloaded via https://grc.com/inspectre.htm) says that my Windows 7 and Windows XP systems are vulnerable to Spectre (so much for the January 2018 security updates!) but not to Meltdown.  I do not have access to firmware updates (yet?). I infer from the tencent check that the browsers work in such a way as not to allow code which extracts data from memory to operate. I guess that my only likely practical exposure to the Spectre vulnerability is by using a web browser on web sites over the Internet.

If my above assumptions are nonsense, please tell me.  I would rather be corrected than to continue deluding myself (if that is the case).

Edited by hake

Share this post


Link to post
Share on other sites

For those who build their own PCs or use Toshiba computers there seems to be no way of installing Intel and AMD updates. In that case the Microsoft security updates for Meltdown/Spectre seem only to be ineffective system slowing entities.

The main vulnerability presently seems to exist in web browsers and there lies, in the short term at least, the best hope for mitigating processor security flaws.

I hope that more browser checkers like Tencent's become available so that users can readily and regularly test their vulnerabilities.

Edited by hake

Share this post


Link to post
Share on other sites

Thanks for those URLs gigiadi.  I guess that browser updates from now on will be a continual effort to place obstacles in the way of criminal hackers. NoScript can be used to achieve a sort of site isolation by allowing active content to be restricted to a list of domains. I use Firefox for my online banking and use NoScript to only allow the domain on the bank to use active content which I assume includes JavaScript.

Edited by hake

Share this post


Link to post
Share on other sites

I wonder if the 22 year-old Google researcher will one day reflect that his revelations of irremediable processor flaws were worth his 15 minutes of fame. It was a tour de force to figure out the nature of the flaws but what a bounty he has bestowed on criminal hackers everywhere, even to simply tell them what is possible. The supposed beneficiaries, we the computer users, of his genius must wait for what is in store for us. If only he had kept his discoveries to himself. The chances are that such processor flaws would not even have occurred to anyone else. As it is, there is surely now hardly a single trustworthy computer on the planet. Thank you Jann.

Share this post


Link to post
Share on other sites

MELTDOWN and SPECTRE impact.... 

autorities implicated/2017

secure browser/2018

secure cpu/2020

 

 

 

 

 

Share this post


Link to post
Share on other sites

I think that secure browsers will be fixing 90% of the problem since the prime vector of attack is surely the browser. I have used Ghostery for a long time and find that it stops advertising but am now also using AdblockerPlus as an additional defence from malvertising. I will be delighted if anti-malware specialists become able to reliably identify delivery vehicles of Meltdown/Spectre and even the signatures and behaviour of actual Meltdown/Spectre malware.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.