Tuesday, January 16, 2018

Fix For Meltdown And Spectre

http://www.linuxandubuntu.com/home/how-hackers-can-read-your-websites-passwords-using-meltdown-and-spectre-with-solution

​Everyone is talking about Meltdown and Spectre, the two security flaws found in Intel, AMD(less vulnerable) and ARM CPUs. Using the flaws attackers can read system memory which may have your passwords and other sensitive information. The worst part of it is that most systems are affected by it. So you're most likely affected by these flaws. Let's see how much an Internet surfer like you is affected by Meltdown.
​First question, if you're vulnerable or not. Most probably, Yes. The flaws are in all modern CPUs so you're most likely affected by it.

Secondly, how an attacker can read your system's memory? There are three variants to trigger the vulnerabilities as told by the Google project zero team. If you're only Internet surfer and think you're secure, you may not be. After the disclosure of the vulnerabilities by Google security blog, all software vendors came out and said that they had been working on the fix since they were informed. Luke Wagner from Mozilla confirmed in a blog post that the similar techniques can be used from web content (Javascript code etc.) to read private information of a website visitor.
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs.  Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins...
Now there is no question that users like us who mostly surf Internet on their devices are not secure. All it needs is a visit to a malicious website. Attackers may also start compromising websites to run the malicious code on the visitors' device to read sensitive information such as other sites passwords saved in web browser.

​Firefox and Chrome have also confirmed that they're working on the patch. Chrome will release Meltdown protected version on January 23. So will you (Chrome users) have to wait that long? Yes, but here is a quick solution as well.

Enable Site Isolation To Protect Browsers Against Meltdown And Spectre

​Besides waiting for Chrome to release the Meltdown protected version, Chrome/Chromium users can also use the solution that is already there. It's called Site Isolation. In chrome or Chromium, users can enable site isolation. Enabling Site Isolation, the content of every website is always rendered in a dedicated process and isolates from other websites. It makes the content not readable for other websites. In case you visit a malicious website which runs code on your browser, it won't be able to see data of other websites.

To enable Site Isolation in Chrome/Chromium, copy the following URL in URL bar -

chrome://flags/#enable-site-per-process
Now you can see the highlighted option is Strict site isolation. Enable it. Now you're done. Restart your web browser and the site isolation is working.

Site Isolation For Firefox Users

​I also tried searching for an alternative solution for Firefox and only found First-Party Isolation. I'm not sure if it will work against these vulnerabilities because First-Party isolation separates cookies and make it not accessible by other websites. I'm not sure if it separates the entire website content from other websites. Though I've given instructions below to enable FPI in Firefox. So you can try your luck.

To enable First-Party Isolation, type about:config in the url bar. Search for site isolation and you'll get the following options -
As you can see the value of privacy.firstparty.isolate is set to false. Double click to set it to true.
So this was the possible way that an attacker can target you and exploit the flaws. I've also mentioned the possible solutions so that you can at least apply what you have. Do share this article with your friends on social media and let them know about this solution.

No comments:

Post a Comment