Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Born: Is my browser vulnerable for Spectre attacks?

    Home Forums AskWoody blog Born: Is my browser vulnerable for Spectre attacks?

    Tagged: ,

    This topic contains 22 replies, has 17 voices, and was last updated by  anonymous 10 months, 1 week ago.

    • Author
      Posts
    • #158486 Reply

      woody
      Da Boss

      Günter Born has an important recap of the the test website xlab.tencent.com, which has a tool that can check to see if your browser is currently susce
      [See the full post at: Born: Is my browser vulnerable for Spectre attacks?]

      10 users thanked author for this post.
    • #158500 Reply

      MrBrian
      AskWoody MVP

      If I recall from seeing the source code for this test, this test will always report “not vulnerable” if a browser feature called SharedArrayBuffer is not available. SharedArrayBuffer provides a source of timers that a Spectre attack needs, but there are other sources available. There is probably no test that could prove that a browser isn’t vulnerable to Spectre.

      • This reply was modified 10 months, 1 week ago by  MrBrian.
      • This reply was modified 10 months, 1 week ago by  MrBrian.
      7 users thanked author for this post.
      • #158530 Reply

        AlexEiffel
        AskWoody MVP

        Yes, it doesn’t mean much. Probably anyone who will develop a working exploit for javascript will have found an alternative way to obtain reliable time and will have tested it against a patched Firefox, IE, Chrome, etc.

        4 users thanked author for this post.
      • #158541 Reply

        abbodi86
        AskWoody MVP

        Indeed

        my Opera 12.18 reported not vulnerable, likewise FlashPeak Slimjet (old version from 2016)

        5 users thanked author for this post.
      • #158547 Reply

        MrBrian
        AskWoody MVP

        From https://twitter.com/bojanz/status/950458779744825344: “Tencent released a PoC for #spectre at http://xlab.tencent.com/special/spectre/exploit/check.js … Won’t work with patched browsers due to usage of SharedArrayBuffer”

        2 users thanked author for this post.
      • #158558 Reply

        anonymous

        I tested an old portable Firefox (v33.x — which definitely has no SharedArrayBuffer feature, as opposed to it being disabled) at Tencent-Xuanwu Lab’s Spectre Online Checker, & the result is instantaneously given as:

        $ Start checking…
        $
        $ According to our checking
        $ Your browser is NOT VULNERABLE to Spectre

        This is despite the fact that Javascript is enabled, & neither the CPU nor the Win OS kernel is patched against Meltdown-Spectre.

        I suppose the online test only checked for the possibility of SharedArrayBuffer-type exploits, but the real world of black hats probably can come up with more tricks.

        4 users thanked author for this post.
    • #158518 Reply

      lurks about
      AskWoody Lounger

      Brave is rated as ‘Vulnerable’ also. Just checked it.

    • #158527 Reply

      ryegrass
      AskWoody Lounger

      Pale Moon 27.6.2 (64 bit) is listed as not vulnerable by this test.

      • #158566 Reply

        Ed
        AskWoody Lounger

        The 32 bit version of Pale Moon 27.6.2 also shows as not vulnerable.

    • #158532 Reply

      anonymous

      Opera is labeled as vulnerable

    • #158576 Reply

      samak
      AskWoody Lounger

      My Firefox 56.0.2 check says not vulnerable.

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

    • #158578 Reply

      geekdom
      AskWoody Lounger

      It’s way too early to tell. The test must first be reliable.

      Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
    • #158594 Reply

      Steve S.
      AskWoody Lounger

      Tested the latest Firefox ESR 52.5.3 (64-bit) on Win 7 Pro machines and a cheap Win 10 tablet. All show as not vulnerable. But as many have said, this isn’t enough to “rest assured”.

      Especially for me with older Core i5 CPUs on Lenovo T410 machines and Lenovo Edge 15 (E50) machines, neither of which are supported by Lenovo now. Processor microcode will likely not be developed by Intel nor issued as a BIOS update by Lenovo.

      All our machines are in good shape and do what we need at present. As retirees, we are not excited about having to buy all new machines, let alone having to deal with them being (ugh..) Win 10, though making them Linux is probably our future path….

      2 users thanked author for this post.
      • #158785 Reply

        lmacri
        AskWoody Lounger

        Hi Steven S.:

        From the Mozilla Security Blog entry Mitigations Landing for New Class of Timing Attack:

        Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.

        That same blog entry notes that Firefox v57.0.4 update (released 03-Jan-2018) fixed two timing mitigations [SharedArrayBuffer and performance.now()] for the Spectre vulnerability, and other timing sources and time-fuzzing techniques are still being worked on.

        According to the Chromium.org article Actions Required to Mitigate Speculative Side-Channel Attack Techniques:

        Chrome has disabled SharedArrayBuffer on Chrome 63 starting on Jan 5th, and will modify the behavior of other APIs such as performance.now, to help reduce the efficacy of speculative side-channel attacks. This is intended as a temporary measure until other mitigations are in place…Chrome’s JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018.”
        ————
        32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

        2 users thanked author for this post.
    • #158623 Reply

      alpha128
      AskWoody Lounger

      Tested my beloved SeaMonkey 2.49.1 and it says it’s not vulnerable. Of course, I first had to tell NoScript to allow the test.

      • This reply was modified 10 months, 1 week ago by  alpha128.
    • #158645 Reply

      PerthMike
      AskWoody Lounger

      I tried to do the vulnerability check, but the page never changed after clicking the CHECK button… Until I noticed the email alert from my firewall that showed that it had blocked the high-security threat. So that was a very useful check of our security!

      I fully expected the browser to show up as vulnerable as we haven’t patched IE since December, but the firewall is protecting us in the meantime.

      Happy days!

      No matter where you go, there you are.

    • #158650 Reply

      anonymous

      Thanks for letting us fingerprint your computer!

      Sincerely,

      Tencent and Chinese Government

      4 users thanked author for this post.
    • #158657 Reply

      MrBrian
      AskWoody MVP

      I believe that any web browser used on a device that is vulnerable to Spectre is vulnerable to Spectre, unless the web browser doesn’t allow JavaScript or other programmability.

      “The browser rendering engine WebKit‘s developers have written blog post What Spectre and Meltdown Mean For WebKit, parts of which are probably applicable to web browsers in general:”

      • This reply was modified 10 months, 1 week ago by  MrBrian.
      1 user thanked author for this post.
      • #158916 Reply

        OscarCP
        AskWoody Lounger

        But isn’t JavaScript (as opposed to Java plugins) needed for maintaining a good deal of a browser’s functionality?

        Is this a “d***ed if you do, d***ed if you don’t” situation?

        • #158923 Reply

          MrBrian
          AskWoody MVP

          “But isn’t JavaScript (as opposed to Java plugins) needed for maintaining a good deal of a browser’s functionality?”

          Yes, but one can use an ad blocker and/or selectively allow which domains JavaScript can run from.

          • This reply was modified 10 months, 1 week ago by  MrBrian.
          2 users thanked author for this post.
    • #158810 Reply

      jescott418
      AskWoody Lounger

      With Chrome you can enable site isolation but its going to eat up RAM and could break some sites. Google cautions its still experimental.  I suspect eventually some of this will end up in the browsers by default in a few months. Not surprising given the hardware is not changing or 100% fixed, so browsers will be part of the solution.

    • #158813 Reply

      johnf
      AskWoody Lounger

      For those of us running Linux Mint, there’s this from their Website (some of it may be of use in Windows as well):
      Firefox 57.0.4
      Firefox was patched. Please use the Update Manager to upgrade it to version to 57.0.4.
      NVIDIA 384.111</p>
      If you are using the NVIDIA proprietary drivers, upgrade them to version 384.111.
      In Linux Mint 17.x and 18.x, this update is available in the Update Manager.
      In LMDE, it is available on the NVIDIA Website.

      Chrome Site Isolation
      If you are using Google Chrome or Chromium, please follow the steps below:
      Type chrome://flags in the address bar and press Enter.
      Scroll down the page and find “ and press the Enable button.
      Restart the Chrome browser.
      https://www.chromium.org/Home/chromium-security/ssca

      Opera
      If you are using the Opera browser, visit opera://flags/?search=enable-site-per-process, click Enable and restart Opera.

      Linux Kernel
      Please use the Update Manager to upgrade your Linux kernel.
      The following versions were patched:</p>
      3.13 series (Linux Mint 17 LTS): patched in 3.13.0-139
      3.16 series (LMDE): patched in 3.16.51-3+deb8u1
      4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
      4.13 series (Linux Mint 18 HWE): patched in 4.13.0-25

      Note: The current HWE series in Linux Mint 18 moved from 4.10 to 4.13.
      Some users reported issues with early kernel updates (4.4.0-108 issues in particular were fixed since in 4.4.0-109). We strongly recommend you use Timeshift to create a system snapshot before applying the updates. Timeshift is installed by default in Linux Mint 18.3 and available in the repositories for all Linux Mint 17.x and 18.x releases.

      Intel Microcode
      Please use the Update Manager to upgrade intel-microcode to version 3.20180108.0.
      Note: If intel-microcode isn’t installed on your computer, run the Driver Manager to see if it’s needed.

      Edit to remove HTML> May not appear as poster intenede.
      PLEASE convert to plain text before cut/paste

      • This reply was modified 10 months, 1 week ago by  johnf.
      • This reply was modified 10 months, 1 week ago by  PKCano.
      • This reply was modified 10 months, 1 week ago by  PKCano.
    • #159009 Reply

      anonymous

      I’m told from user that Win10 Opera 50 tested as not vulnerable

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Born: Is my browser vulnerable for Spectre attacks?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.