Jump to content

Google shares Spectre PoC targeting browser JavaScript engines


Recommended Posts

Google shares Spectre PoC targeting browser JavaScript engines




Google has published JavaScript proof-of-concept (PoC) code to demonstrate the practicality of using Spectre exploits targeting web browsers to access information from a browser's memory.


According to the Google Security Team, the PoC shared today works across a wide range of processor architectures, operating systems, and hardware generations.


Security mechanisms vendors have added to web browsers to protect users from Spectre attacks (e.g., Site Isolation, out-of-process iframes, Cross-Origin Read Blocking, and other Cross-Origin policies) don't actually block exploitation attempts.


Instead, they are protecting the users' sensitive data from being leaked into the attackers' hands by moving out of memory reachable during attacks.


Google advises web developers to use new security mechanisms to "mitigate Spectre-style hardware attacks and common web-level cross-site leaks."


The Chrome web platform security team also provides developers with guidance for Post-Spectre Web Development and for Mitigating Side-Channel Attacks.


Besides standard protections like X-Content-Type-Options and X-Frame-Options headers, Google recommends enabling the following policies as part of ongoing efforts to mitigate Spectre attacks:


The Google Security Team also created a prototype Chrome extension named Spectroscope to help security engineers and web developers protect their websites from Spectre.


Spectroscope works by scanning web apps for resources that may require enabling additional security defenses against Spectre attacks.


"Today, we're sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines," said Stephen Röttger and Artur Janc, Information Security Engineers at Google.


"We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector."


Google researchers created a dedicated interactive demo of the attack at leaky.page and published a detailed writeup on Github.


The goal of the in-browser proof-of-concept demo is to prove the feasibility of a web-based Spectre exploit, and it will not allow you to test if your device is vulnerable to such attacks.


A video demo showing the results of a successful attack using Google's PoC exploit on an Intel i7-6500U Ubuntu machine running Chrome 88 is embedded below. 



The Spectre security vulnerability was unveiled as a hardware bug by Google Project Zero security researchers in January 2018.


Attackers can exploit it on vulnerable systems to steal sensitive data, including passwords, documents, and any other data available in privileged memory.


Spectre (CVE-2017-5753) side-channel attacks affect modern Intel, AMD, and ARM processor models with support for branch prediction and speculative execution.


As Project Zero researchers also found, Spectre also impacts major operating systems (i.e., Windows, Linux, macOS, Android, and ChromeOS).


All major processor and OS vendors have released firmware patches and software fixes for Spectre since its discovery.


Last month, security researcher Julien Voisin found working exploits targeting Linux and Windows systems on VirusTotal.


The two exploits were uploaded on VirusTotal as part of a larger package: a cracked version of the CANVAS penetration testing tool leaked and traded online since at least December 2020.



Source: Google shares Spectre PoC targeting browser JavaScript engines

Link to comment
Share on other sites

  • Replies 0
  • Views 352
  • Created
  • Last Reply

Top Posters In This Topic

  • mood


Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...