Browser makers move to mitigate risk of Spectre browser attacks
Apple has confirmed that it has already pushed out security updates for iOS, macOS and tvOS that mitigate the danger of users being affected by Meltdown attacks. (watchOS did not require mitigation.)
The updates were released in early December, and apparently there is no measurable reduction in the performance of macOS and iOS due to the implementation of the mitigations.
But, when it comes to reducing the risk of Spectre attacks, updates are yet to be released.
“Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or ‘bounds check bypass,’ and CVE-2017-5715 or ‘branch target injection.’ These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call,” the company explained.
They expect that the upcoming Safari mitigations will have little impact on computer speeds, and are assuring users that they “continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”
Firefox, Google, Microsoft
Other browser makers have also pushed out or announced updates that mitigate the risk of Spectre attacks through the browser.
“Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox.”
Google says that the current stable versions of Chrome (Chrome 63) include an optional feature called Site Isolation which can be enabled to provide Meltdown and Spectre mitigation by isolating websites into separate address spaces.
Microsoft has released updates for Internet Explorer and Edge on Wednesday.
US-CERT has offered guidance on how to minimize and/or remove the danger of being targeted by the two attacks, and provided links to updates pushed out by various vendors.
The organization still says that “due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”
The Computer Emergency Response Team Coordination Center (CERT/CC) initially noted that a solution for removing all risk from these attacks is to replace the vulnerable CPU hardware. This pronouncement has since been removed from the vulnerability note.