Browser makers rush to plug Spectre/Meltdown security holes

A roundup of advice from Mozilla, Microsoft, Apple and others as the release temporary patches for the CPU flaws

The flaws in CPU architecture dubbed Meltdown and Spectre could be used by attackers to steal passwords and other information via Javascript code on websites as it's read the browser. Browser makers have been rushing to produces fixes. For now, most are temporary patches but more permanent solutions should be available shortly.

Apple

On its support page, Apple notes that the risk of exploitation is likely to be low. It will release a fix "in the coming days", it says.

"Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques."

The fix is unlikely to cause noticeable degradation in performance, Apple adds.

Mozilla

In its recent security advisory the Firefox maker says it has moved to implement a temporary fix to make attacks via CPU vulnerabilities more difficult.

"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox," it says.

"The precision of performance.now() has been reduced from 5µs to 20µs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer."

Google Chrome

Chrome users are advised to make use of a feature called Site Isolation "which mitigates exploitation of these vulnerabilities".

"With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags."

The advisory on the Chromium site continues: "Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd, 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack. Additionally, the SharedArrayBuffer feature is being disabled by default. The mitigations may incur a performance penalty."

Microsoft

Microsoft released patches for Edge and Internet Explorer on Wednesday. In an advisory the company notes:

"In testing, Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer.?Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security."

Vivaldi

In a tweet, Vivaldi says: "We're anticipating that Chromium will mitigate any potential exploit on the browser side shortly. You can also enable 'Strict site isolation' by navigating to vivaldi://flags".

Opera

Opera notes the level of concern in its latest blog post.

"There is a lot of uncertainty right now about the impact of the hardware security issue named Meltdown," the firm says.

"There will be a scheduled release of Opera which will contain a first set of workarounds as soon as the browser is properly tested and ready for release. This will most likely be at the end of January. To improve the protection it is already possible to turn on something called Strict site isolation. This separates sites into different processes which makes it harder to exploit the hardware problem."

"Strict site isolation is an upcoming security feature that is still being tested. There is more information on the project page, including a list of what remains to do in the project. To turn on Strict site isolation, a user can visit opera://flags/?search=enable-site-per-process and click 'Enable'."

Brave

No official advice is forthcoming from Brave so far, but users can simply switch off Javascript for the time being.

A forum poster notes: "Since Brave is based on Chromium 63, Google has info on what they're doing and what's coming shortly in 64: Google's Mitigations Against CPU Speculative Execution Attack Methods1 and Actions Required to Mitigate Speculative Side-Channel Attack Techniques."

Mitigation

United States Computer Emergency Readiness Team (US-CERT) publishes links to updates from browser vendors. However, it notes that "due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases." Long term, the only solution may be to replace vulnerable CPUs.