Opera, Mozilla, Vivaldi and more rush to patch Spectre and Meltdown security holes
Browser makers have been rushing to produces fixes. For now, most are temporary patches but more permanent solutions should be available shortly.
On its support page, Apple notes that the risk of exploitation is likely to be low. It will release a fix “in the coming days, it says.
The fix is unlikely to cause noticeable degradation in performance, Apple adds.
In its recent security advisory, the Firefox maker says it has moved to implement a temporary fix to make attacks via CPU vulnerabilities more difficult.
“Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox,” it says.
“The precision of performance.now() has been reduced from 5µs to 20µs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.”
Chrome users are advised to make use of a feature called Site Isolation “which mitigates exploitation of these vulnerabilities”.
“With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags.”
Microsoft released patches for Edge and Internet Explorer on Wednesday. In an advisory the company notes:
“In testing, Microsoft has seen some performance impact with these mitigations. For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer.?Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. We continue to work with hardware vendors to improve performance while maintaining a high level of security.”
In a tweet, Vivaldi says: “We’re anticipating that Chromium will mitigate any potential exploit on the browser side shortly. You can also enable “Strict site isolation” by navigating to vivaldi://flags”
Opera notes the level of concern in its latest blog post.
“There is a lot of uncertainty right now about the impact of the hardware security issue named Meltdown,” the firm says.
“There will be a scheduled release of Opera which will contain a first set of workarounds as soon as the browser is properly tested and ready for release. This will most likely be at the end of January. To improve the protection it is already possible to turn on something called Strict site isolation. This separates sites into different processes which makes it harder to exploit the hardware problem.”
“Strict site isolation is an upcoming security feature that is still being tested. There is more information on the project page, including a list of what remains to do in the project. To turn on Strict site isolation, a user can visit opera://flags/?search=enable-site-per-process and click ‘Enable’.”
A forum poster notes: Since Brave is based on Chromium 63, Google has info on what they’re doing and what’s coming shortly in 64: Google’s Mitigations Against CPU Speculative Execution Attack Methods1 and Actions Required to Mitigate Speculative Side-Channel Attack Techniques.
United States Computer Emergency Readiness Team (US-CERT) publishes links to updates from browser vendors. However, it notes that “due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.” Long term, the only solution may be to replace vulnerable CPUs. µ
Source : Inquirer