Google Chrome Mitigates Spectre Vulnerability Via Site Isolation

Google Chrome image

The recent rise of Spectre vulnerabilities that allows malicious code to hijack sensitive data is being addressed in the latest version Google Chrome. The latest security blog from the browser’s blog gives insight on Chrome’s ability to mitigate the issue by using the site isolation mechanism.

Site Isolation Will Protect Google Chrome From The Spectre Vulnerability

The rise of the Spectre vulnerabilities with their capability of hijacking sensitive information using simple code has raised serious concerns among hardware vendors and software developers to find ways quickly to resolve any possible abuse. The Google Chrome development team recently announced in a blog post that they are adding Site Isolation — the feature will be enabled in all versions since Chrome 67. To this date this feature was available as an optional function that the users needed to enable manually.

The Spectre vulnerability is very dangerous as web browsers generally run JavaScript code, many of them can be malicious. The Spectre vulnerability allows malware-infected code to use the side channels and potentially harvest data from other sites that are executed in the process thread. This mechanism is directly prevented by the inclusion of site isolation in Google Chrome.

By itself the addition of this mechanism changes Google Chrome’s underlying architecture into limiting the way different sites are processed. By design the browser featured a multi-process operation which defined each tab to a separate rendered process. The different tabs can even switch processes when navigating to a new site in certain situations. However the Spectre vulnerability proof-of-concept attacks do show a hypothetical attack model. It allows hackers to construct malicious pages revealing sensitive data.

An example would be the use of cross-site iframes and pop-ups which in many cases are processed in the same (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Martin Beltov. Read the original post at: