Experts bypass protection from Specter in popular browsers

A team of researchers from Aleph Security has found a series of attacks that use Specter vulnerabilities that allow them to bypass the protection of popular browsers. The report is about Specter v1 ( CVE-2017-5753 ) - a type of Specter vulnerability that can be exploited through a browser.

Protection against it was implemented before the publication of Aleph Security ( V8 - Chome & Chromium , Chrome , Chromium , Firefox , Edge / IE , Safari Webkit), as the researchers contacted the developers in advance. The principles of protection vary from browser to browser, but are mainly used to isolate sites (projects based on Chromium), reduce accuracy and add more variation to the timers performance.now(), and disable the function SharedArrayBuffer(Firefox, Edge).

In their work, Aleph Security specialists were able to bypass most of these protection mechanisms and gain access to protected areas of memory, which, in theory, allows you to intercept any data that the browser pages use, such as cookies and stored passwords. The attack is carried out through the speculative execution of malicious JavaScript code. The findings of the study stated that the measures implemented by the browser developers only slow down the course of the attack, but do not exclude it entirely. The adoption of more effective measures will lead to an overall decrease in productivity, which will have a negative impact on end users.

It should be noted that the attack was successfully carried out on Google Chrome (55.2% of users), Safari (13.5%) and Edge (it, together with IE, accounts for 6.1% of the market). At the same time, the attack on Firefox (5.4% of users) was not consistent, as Mozilla engineers recently reduced the timer performance.now()to 2 ms. At the same time, the researchers noted that Firefox is not completely safe - just their decision to conduct attacks in this case requires some work. Thus described attack exposed more than 70% of Internet users.

In the experiment, the data access rate was 1 bit per second, so it’s too early to talk about practical implementation. The researchers explain that their goal was not to create applied tools for real attacks, but to audit the reliability of the defenses used against them.

Specter is one of two vulnerabilities discovered in January 2018, which extends to almost all modern platforms and opens up the fundamental possibility of access to isolated memory locations, which means data that the running programs operate on. Like the second vulnerability, Meltdown, Specter uses features of speculative command execution, however, unlike Meltdown, it’s difficult to speak about Specter’s 100% protection because of its more fundamental nature, which was once again demonstrated by the work of Aleph Security specialists.

Unlike Meltdown, which affects only Intel processors and ARM cores, Specter’s vulnerability also works on AMD processors. As in the case of Meltdown, all software manufacturers released urgent patches to counter Specter, however, since it has a hardware rather than software nature, there is no need to wait for a final solution in the near future.