Two CPU architecture flaws called Meltdown and Spectre were recently unveiled to affect primarily Intel, but also ARM and AMD (Spectre-only). Microsoft, Mozilla, and Google have now come out and said that attackers could exploit these flaws through your browser. However, temporary fixes are coming soon.
Microsoft said it will disable this feature in order to “substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process.” This will decrease the resolution of the performance.now() timer from 5 microseconds (µs) to 20µs. The variable jitter will see an additional 20µs increase.
The company added that it will continue to investigate the two CPU flaws and will also take another look at how it can implement the SharedArrayBuffer feature in a more secure way in the future.
Mozilla said that its experiments have proven that attackers could exploit the recently discovered CPU flaws through the browser and read user’s private information.
According to Mozilla, the new flaws allow an attacker to use precise timers in the browser to do side-channel attacks when the cryptographic algorithms are executed (also called timing attacks). Therefore, the company is taking steps to disable all the precise timers in its browser, as well as the SharedArrayBuffer feature, that Firefox also recently implemented. The resolution of Firefox’s timers will also be reduced to 20µs.
Mozilla added that it will consider reimplementing the SharedArrayBuffer feature after it experiments with ways in which to do that in a safe manner. The organization noted that the high-resolution timers are important for the future of the web platform.
The Chromium team also made a similar announcement, saying that the next version of Chrome (v64), which should arrive later this month, will disable the SharedArrayBuffer feature by default and modify the behaviour of its performance.now API.
As Chrome has always focused on on a higher-level of process sandboxing compared to other browsers, it seems that Google was already working on a feature, called Site Isolation, that that protect against Meltdown and Spectre on its own. However, users will have to enable it manually at chrome://flags/#enable-site-per-process.Researchers also found earlier this year that Site Isolation is effective against many other types of attacks.
The Chromium team also laid out some mitigations that web developers can also implement on their own sites:
- Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.
- Don’t serve user-specific or sensitive content from URLs that attackers can predict or easily learn. Attackers can load such URLs in their attack pages (e.g. <img class="lazy" data-src=”https://email.example.com/inbox.json”/>) to get the sensitive information into the process rendering their page, and can then use out-of-bounds reads to discover the information. Use anti-CSRF tokens and SameSite cookies, or random URLs to mitigate this kind of attack.
- Make sure your MIME types are correct and specify a nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.
Apple hasn’t released an official statement on how it intends to patch its Safari browser, but it seems that it has already partially patched macOS 10.13.2 against Meltdown. More fixes should be coming soon.
What we're seeing from both the kernel patches as well as the browser patches is that Meltdown and Spectre can only be fixed by incurring at least some performance penalties. To remove these performance penalties, CPU makers will likely have to redesign parts of their CPU architectures in the near future.