Skip to main content

How Chrome and other browsers came together to protect you from Spectre

Image used with permission by copyright holder

During the Google I/O developer conference, Chris Palmer from the Chrome security team talked about how Google and other browser developers scrambled to protect web surfers from Spectre-based attacks. Of the two processor vulnerabilities reported in January, Spectre can theoretically allow hackers to access sensitive data through a compromised website, requiring a different approach in how browsers must now render your favorite sites. 

As previously reported when Spectre was first revealed, part of a processor’s speed is based on predicting the quickest path to the current task’s end result. It tests the outcome using numerous “if/then” avenues, loading this data in local on-chip memory (aka cache). The problem in Spectre is that for all those avenues not taken, the data remains in the cache and can be seen across privilege levels, processes, and web page origins. 

Based on that leftover data, an attacker could insert code into JavaScript that runs in a loop and eventually gains access to “out of bounds” sensitive information. There were solutions available, but they severely hindered the processor’s performance. There were alternatives, but they required cooperation between browser developers that normally were at odds.

Working together for the safety of the web

The alternative method would require changing how web browsers would render a webpage — and this is where competing browser developers worked together to solve the problem. For instance, a webpage is typically comprised of different parts from different origins and rendered as a single page. But there could also be a “hostile” origin in the mix containing an element that can exploit the Spectre vulnerability using what are called “gadgets.” These gadgets can read data generated by the “safe” origins. 

Google’s first fix in Chrome was to turn off a feature called SharedArrayBuffer, so hackers couldn’t keep track of the timing used when data moves from the processor cache to the system memory. Palmer said this method was the easiest route to exploitation.  

“Other browsers did similar things, and we all collaborated to sort of figure out how we were going to do this in a way that doesn’t hurt the web so that we are all on the same page,” he said. “It’s kinda of a happy story that comes out of this is a really good collaboration between the security teams of a lot of different browser vendors. It’s been a great experience for all of us and I think we’re gonna come out with a much better web thanks to the help of everyone.” 

Image used with permission by copyright holder

Another “fix” was to turn off processor speculation on a micro-scale and change the way code is compiled to prevent speculation gadgets. This didn’t provide 100 percent protection but gave Google’s team “breathing room” to develop long-term fixes. 

Site isolation, shown above, was another useful tool against Spectre. It essentially isolates “good” from “bad” origins by assigning each origin with its own render process. Thus, origins are isolated from each other and protected against any origin that suddenly becomes evil. That evil origin can only read its own data. 

Unfortunately, site isolation and the accompanying cross-origin read blocking component will require 10 percent more system memory use, he said. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
I finally switched from Chrome to Mozilla Firefox — and you should too
mozilla firefox chrome review comparison 2020 mozillafirefoxcomentillustration

I have been in an on-and-off relationship with Mozilla Firefox for the past five years. Every time I’d get ecstatic over a major new Firefox update -- hoping to, at long last, break free from the hegemony of Google Chrome -- my hopes would be crushed as soon as I began browsing the web like I normally do.

Firefox's performance would fall noticeably short and struggle to keep up with my workflow, sending me scurrying back to Google Chrome after a few minutes of poking around. No matter how compelling the rest of Mozilla’s offerings were, they could never convince me to hit that "Yes" button whenever Firefox asked whether I’d like to set it as my default browser. Catching up to Chrome almost started to seem like a far-fetched goal for Firefox -- until recently.

Read more
Update your Google Chrome browser now: New exploit could leave you open to hacks
Google Chrome Stock Photo

If you’re a Google Chrome user, you should update the browser immediately. Google released a software update to the browser late yesterday evening that patches two zero-day vulnerabilities to the browser that could potentially allow the browser to be hijacked by hackers.
One of the vulnerabilities affects Chrome’s audio component (CVE-2019-13720) while the other resides in the PDFium (CVE-2019-13721) library.
Hackers can corrupt or modify the data in Chrome’s memory using the exploit, which will eventually give them access to the computer as a whole.
One of the exploits, CVE-2019-13720 has been discovered in the wild by researchers at Kaspersky.
Google says that the update to the browser will be rolling out to users automatically over the coming days and weeks.
That said, if you’re a Chrome user it would be more prudent for you to go ahead and do that update manually right now instead.
To make it happen you’ll want to launch Chrome on your computer and then click on “Chrome” in the menu bar followed by “About Chrome.” That will launch the Settings menu. From there,  click “About Chrome” at the bottom of the menu on the left. That will likely trigger an automatic update if yours hasn’t already happened. If it doesn’t, you’ll see a button to manually update the browser as well.
Once you update the browser you should be good to go without fear of the security threat becoming an issue. Last month many Mac users ran into issues with Google Chrome when it seemed to send computers into an endless reboot cycle.
An investigation by Mac enterprise and IT blog Mr. Macintosh found that the issue was actually a bug that deletes the symlink at the/var path on the Mac it’s running on, which essentially deletes a key in the MacOS system file.
That issue only impacted Macs where the System Integrity Protection (SIP) had been disabled. The issue particularly impacted older Macs that were made before SIP was introduced with OS X El Capitan in 2015.
All this comes as Google is gearing up to launch some major updates to Chrome, including one update that will change how you manage tabs using the browser. That update is expected to roll out later this year.

Read more
The Mac is on the verge of entering a new era
The MacBook Air on a white table.

According to a new report from Bloomberg, Macs are about to get a serious revamp. Don't expect a redesigned chassis or better displays, though. This new era is all about AI -- betcha didn't see that one coming.

Reporter Mark Gurman says that Apple is expected to refresh the entire lineup of Macs with M4 chips that "emphasize" AI capabilities starting in late 2024 and heading into 2025. It's unknown whether this new emphasis is just marketing or will refer to a true technical change. Apple's Neural Engine has been part of the Mac since 2020, when it was introduced in the M1 chip for the purpose of speeding up AI workloads.

Read more