Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Google Releases PoC Exploit for Browser-Based Spectre Attack

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Google last week announced the release of proof-of-concept (PoC) code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.

Initially detailed in early 2018 alongside Meltdown, the side-channel attack could allow a malicious application to access data being processed on the device. The vulnerability could expose passwords, documents, emails, data from instant messaging apps, and more.

Since the public disclosure of Meltdown and Spectre, both hardware makers and software developers alike have been working on devising protections against similar flaws, and browser makers too have been implementing application-level mitigations.

In 2019, the Google team responsible for Chrome’s V8 JavaScript engine said that the attack can’t be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.

To keep their users safe, browser makers have already implemented protections such as Site Isolation, Cross-Origin Read Blocking, and out-of-process iframes, with a variety of security features available for other application developers as well, including Cross-Origin Resource and Cross-Origin Opener Policies, and more.

The purpose of these mechanisms is to prevent sensitive data from being present in memory sections that an attacker could read. However, they do not prevent Spectre exploitation.

In order to assess the effectiveness of such mitigations, Google’s researchers have released JavaScript PoC code functional across multiple operating systems, architectures, and hardware variants, and which “confirms the practicality of Spectre exploits against JavaScript engines.”

While Chrome has been used to demonstrate the attack, the exploited issues are not specific to Google’s browser, but affect other modern browsers as well. An interactive demonstration of the attack can be accessed on this page, while the code and technical details were published on Github.

Advertisement. Scroll to continue reading.

“The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes,” Google explains.

In addition to releasing the PoC, Google is making recommendations (Post-Spectre Web Development and Mitigating Side-Channel Attacks) on how web developers can improve site isolation to deny access to cross-origin resources, thus effectively mitigating Spectre-style hardware attacks, among others.

Such mitigations include Cross-Origin Resource Policy (CORP) and Fetch Metadata Request Headers, Cross-Origin Opener Policy (COOP), and Cross-Origin Embedder Policy (COEP), along with standard protections, such as the X-Frame-Options and X-Content-Type-Options headers, along with SameSite cookies.

“It’s important to note that while […] the mechanisms […] are important and powerful security primitives, they don’t guarantee complete protection against Spectre; they require a considered deployment approach which takes behaviors specific to the given application into account,” Google notes.

Related: Microsoft Brings Hardware-Based Isolation to Chrome, Firefox

Related: Should You Be Concerned About the Recently Leaked Spectre Exploits?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.