ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Meltdown and Spectre are two vulnerabilities discovered by Google security researchers that affect almost all CPUs released since 1995, impacting CPUs deployed in desktops, laptops, servers, smartphones, smart devices, and cloud services.
Researchers say that attackers can use the two flaws to read data from a computer’s kernel memory (Meltdown), but also data handled by other apps (Spectre).
More precisely, Google says the two bugs can be exploited to “to steal data which is currently processed on the computer,” which includes “your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Mozilla confirms everybody’s worst fears
In research published online late last night, Google didn’t provide specific ways in which an attack could take place, but many security experts that looked over the Meltdown and Spectre academic papers said that web-based attacks are possible, and not just attacks using locally-delivered malicious code.
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins,” said Luke Wagner, a software engineer with the Mozilla Foundation.
Firefox added Meltdown and Spectre mitigations in November 2017
Details about the Meltdown and Spectre flaws had been shared with Mozilla since last year, and Wagner says that Firefox 57, released in mid-November, already includes some countermeasures.
Both Meltdown and Spectre are side-channel attacks that produce leak memory data. They both rely on the ability to very precisely measure time to deliver exploits that leak memory data.
To hinder the attacks’ efficiency, Mozilla says it reduced the precision of Firefox’s internal timer functions. This is not a full mitigation, but just an efficient and clever workaround.
Specifically, in all release channels, starting with 57:
– The resolution of performance.now() will be reduced to 20µs.
– The SharedArrayBuffer feature is being disabled by default.
Mozilla said it will experiment with new mitigation techniques that will “remove the information leak closer to the source, instead of just hiding the leak by disabling timers.”
Google Chrome to receive patches in v64
While Mozilla has already deployed fixes, Chrome has not. Ironically, it was Google developers who discovered the two vulnerabilities.
According to Google, Chrome will receive mitigations to protect against Meltdown and Spectre exploitation in Chrome 64, due to be released on January 23.
Until then, Google recommends that users enable a new security feature it shipped in Chrome 63, called Strict Site Isolation.
Despite this, some experts argue that Meltdown and Spectre are two vulnerabilities that are most likely to be exploited in targeted attacks against specific targets, rather than in en-masse, non-discriminatory campaigns.
Any idea on whether Meltdown/Spectre will ever be exploited at scale? Reading memory *and* doing something useful with it doesn’t tend to scale well for attackers. Remember that Heartbleed was never exploited at scale.
— Martijn Grooten (@martijn_grooten) January 4, 2018
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.