Mozilla has officially confirmed that the recently disclosed Meltdown and Spectre CPU flaws can be exploited via web content such as JavaScript files in order to extract information from users visiting a web page.
Meltdown and Spectre are two vulnerabilities discovered by Google security researchers that affect almost all CPUs released since 1995, impacting CPUs deployed in desktops, laptops, servers, smartphones, smart devices, and cloud services.
Researchers say that attackers can use the two flaws to read data from a computer's kernel memory (Meltdown), but also data handled by other apps (Spectre).
More precisely, Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
Mozilla confirms everybody's worst fears
In research published online late last night, Google didn't provide specific ways in which an attack could take place, but many security experts that looked over the Meltdown and Spectre academic papers said that web-based attacks are possible, and not just attacks using locally-delivered malicious code.
Hours after Google's announcement, Mozilla confirmed everybody's worst fear, that both Meltdown and Spectre are remotely exploitable by embedding attack code in mundane JavaScript files delivered via web pages.
"Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins," said Luke Wagner, a software engineer with the Mozilla Foundation.
Firefox to add Meltdown and Spectre mitigations
Details about the Meltdown and Spectre flaws had been shared with Mozilla since last year, and Wagner says Firefox 57.x branches will receive countermeasures.
Both Meltdown and Spectre are side-channel attacks that produce leak memory data. They both rely on the ability to very precisely measure time to deliver exploits that leak memory data.
To hinder the attacks' efficiency, Mozilla says it will reduce the precision of Firefox's internal timer functions. This is not a full mitigation, but just an efficient and clever workaround.
Specifically, in all release channels, starting with 57:
- The resolution of performance.now() will be reduced to 20µs.
- The SharedArrayBuffer feature is being disabled by default.
Mozilla said it will experiment with new mitigation techniques that will "remove the information leak closer to the source, instead of just hiding the leak by disabling timers."
Google Chrome to receive patches in v64
According to Google, Chrome will also receive mitigations to protect against Meltdown and Spectre exploitation in Chrome 64, due to be released on January 23.
Until then, Google recommends that users enable a new security feature it shipped in Chrome 63, called Strict Site Isolation.
Microsoft has also released updates for Edge and Internet Explorer, that are part of an out-of-band update for Windows operating systems, released yesterday.
Users are recommended to update to Firefox 57, and update to Chrome 64 when it comes out. Web-based attacks are the most dangerous because they are easier to carry out. An attack can trick users into accessing a website with malicious JavaScript, can deliver JavaScript via advertising networks to millions of users at once, or can hack websites and carry out drive-by download attacks on legitimate sites the user has no clue have been compromised.
Despite this, some experts argue that Meltdown and Spectre are two vulnerabilities that are most likely to be exploited in targeted attacks against specific targets, rather than in en-masse, non-discriminatory campaigns.
Any idea on whether Meltdown/Spectre will ever be exploited at scale? Reading memory *and* doing something useful with it doesn't tend to scale well for attackers. Remember that Heartbleed was never exploited at scale.
— Martijn Grooten (@martijn_grooten) January 4, 2018
UPDATE: Mozilla has released Firefox 57.0.4 that includes Meltdown and Spectre mitigations.
Comments
pccobbler - 6 years ago
Mozilla announced "Meltdown and Spectre are remotely exploitable by embedding attack code in mundane JavaScript files delivered via web pages"
This is yet another reason to use a browser that allows for JavaScript to be disabled, using that browser whenever possible. IceCat, Konqueror, SeaMonkey, Otter, Midori, Brave, QupZilla, and Opera allow the disabling of JavaScript via a single checkbox. Firefox is a little more complicated and requires the entering of "about:config" into the URL space, searching for "javascript.enabled," and setting it to false.
Occasional - 6 years ago
When I used Firefox, I also used NoScript. What's better, a one button on/off switch or a more customizable way to discriminately allow or prevent script?
A bigger concern is the number of legitimate websites that require you to allow scripts, in order to achieve even basic functionality. Then there are all the add-on statistical, marketing and 3rd party scripts most sites include.
pccobbler - 6 years ago
NoScript used to be annoying and I stopped using it, but that was years ago so I should revisit it. I use IceCat on Linux and Brave on Windows, with both of them set-up for disabled JavaScript. With Firefox, I use Ublock Origin and HTTPS Everywhere. As for the websites you mentioned that require JavaScript to run, I keep those to a minimum. Most news sites work just fine without JavaScript.
Exnor - 6 years ago
This is going to be a fun year.... :/
Occasional - 6 years ago
Another reason to chuckle: http://www.foxnews.com/us/2018/01/04/ex-nsa-contractor-to-plead-guilty-to-breathtaking-heist-top-secret-data.html
Occasional - 6 years ago
JavaScript: great idea. Here's another: LED screen license plates for cars.
preppz - 6 years ago
Does anyone know why Google is not issuing an emergency update for Chrome? Not everyone knows about this threat yet.