Browser-maker urges web developers to take action against vulnerability that continues to haunt the industry

Spectre security vulnerability still threatens browser security, says Google

UPDATED Three years after the infamous Spectre vulnerability was discovered, hackers can still exploit the security flaw in order to force web browsers to leak information, Google’s security team warns.

The problem has arisen despite extensive efforts by browser developers to harden their software against Spectre-style attacks.

The results of the research was published on the Google Security Blog on Friday (March 12) and include a proof-of-concept exploit written in JavaScript that still works against several browsers, operating systems, and processors.

The key lesson from the research is that Spectre still haunts the industry – so developers need to deploy application-level mitigation measures in order to guard against potential attacks.

The Spectre vulnerability

First reported in 2018, the Spectre vulnerability and its twin, Meltdown, both take advantage of flaws in the optimization features of modern CPUs in order to circumvent the security mechanisms that prevent different processes from accessing each other’s memory space.

The Spectre vulnerability allowed a wide range of attacks against different types of applications, including web apps. Hackers can potentially exploit the flaws to extract sensitive information across different websites in a browser by exploiting how different applications and processes interact with processors and on-chip memory.

INSIGHT Meltdown and Spectre, one year on: Feared CPU slowdown never really materialized

While newer CPUs have partially mitigated the Spectre vulnerability at the hardware level, there’s still a need for software-based mitigations in order to further limit the scope of potential attacks.

Along with cloud providers and operating system vendors, the developers of web browsers have been putting in efforts to protect users against Spectre attacks.

Their measures include browser protection options such as site isolation and out-of-process iframes, alongside security features that web developers can use to control the origin of resources used in websites.

“These mechanisms, while crucially important, don't prevent the exploitation of Spectre; rather, they protect sensitive data from being present in parts of the memory from which they can be read by the attacker,” the Google Security Team explains.

Hacking the browser

The proof-of-concept (PoC) developed by the Google Security Team exploits the JavaScript engine on Chrome, but the researchers said the same issue applies to other browsers as well.

The PoC is based on a gadget that exploits the “variant 1” Spectre vulnerability across a side-channel that observes the side-effect of the attack.

Variant 1 Spectre, also known as the “bounds check bypass attack”, manipulates the speculative execution mechanisms of processors to access out-of-bounds memory locations.

Read more of the latest security vulnerability news

Side-channels that steal secret data from speculative execution attacks such as Spectre use timing attack techniques to determine the location of the target data. Modern browsers reduce the granularity of their time-measurement functions to prevent such attacks.

The Google Security Team developed a new technique that overcomes this limitation and leaks data with low-precision timers.

The researchers published a demo of their PoC online:

“While we don’t believe this particular PoC can be re-used for nefarious purposes without significant modifications, it serves as a compelling demonstration of the risks of Spectre,” the researchers conclude.

“In particular, we hope it provides a clear signal for web application developers that they need to consider this risk in their security evaluations and take active steps to protect their sites.”

Web developers urged to act

Short of hardware changes and firmware updates, there’s no easy way to develop a comprehensive fix for speculation execution vulnerabilities such as Spectre, the Google Security Team warns.

“Web developers should consider more robustly isolating their sites by using new security mechanisms that actively deny attackers access to cross-origin resources,” the blog post states.

Last year, Google Security published a comprehensive guide on mitigation techniques for different Spectre-style hardware attacks and common web-level cross-site leaks.

But the suggested methods require developers to assess the threat these vulnerabilities pose to their applications and understand how to deploy them, the Security Team notes.

The task is far from straightforward.

To further assist web developers, the Chrome security team has published a lengthy guide on hardening web applications against Spectre attacks.

The guidelines focus on controlling and limiting cross-origin resource sharing and interactions between websites.

The Google Security Team warns that, even if applied rigorously, the mitigation techniques don’t guarantee complete protection against Spectre

“They [the mitigations] require a considered deployment approach which takes behaviors specific to the given application into account,” the researchers advise.

This story was updated to clarify that not even the latest CPUs offer complete protection against Spectre

YOU MIGHT ALSO LIKE Google and Mozilla lay the groundwork for a ‘post-XSS world’