React, etc. Tech Stack

React, Flux, GraphQL, Hack, HHVM...? All of this and more!

Exploiting Speculative Execution (Meltdown/Spectre) via JavaScript

The critical vulnerabilities found in Intel and other CPUs represent a significant security risk. Because the flaw is so low level, the usual protections that web developers are used to don't apply. Even sandboxed JavaScript code can be used to exploit the vulnerabilities known as Meltdown and Spectre.

The issue affects Intel CPUs broadly, but also AMD and various ARM processors are suspect to a similar attack. Browser vendors have already started mitigating the issue with Microsoft, for example announcing improvements to Internet Explorer and Microsoft Edge browsers against Speculative Execution. Mozilla has also taken action against the new class of timing attacks and Chromium based browers a fix is scheduled for version 64. The WebKit team also did a writeup on the implications of Spectre and Meltdown in their blog.

Due to the dynamic nature of the browser (and the OS market in general) it will be virtually impossible to patch all browsers. This means that web services are threathened from an unusual attack vector developers really can't protect from, but thankfully most browsers are now evergreen (auto-updating) which means fixes will be applied to contemporary devices in active use. Users can check if their browser is vulnerable with a Spectre browser vulnerability check.

For Chromium based browsers such as Opera and Google Chrome users can improve security with a feature known as Site Isolation, and in general the lucky aspect is that the flaw is so low level that it is not trivial to exploit it to gain access to passwords or other sensitive data on a large scale. Popular web applications like WordPress are a much more uniform target than a complete Operating System.

There is already some examples online for exploiting CPU speculative execution using JavaScript - complete with explanation of the disassembly for the said code. Such an example of vulnerable JavaScript is shown below, an excerpt of the paper on Spectre attacks:

JavaScript exploit of Speculative Execution (Meltdown/Spectre)

This marks a significant event not only for the OS market, but for the developers in general. Where as web developers are used to working in an environment virtually impossible to cause havoc on Operating System level - the CPU bug announced in early 2018 breaks this heyday. Spectre and Meltdown JavaScript exploits affects all browsers across different operating systems.

To follow up on patch statuses for Windows, Android, macOS, iOS, Linux Distributions like Debian, Ubuntu and RedHat Operating systems as well as other significant tools you can check out a Github repositor showing a summary of Meltdown / Spectre Patches centrally: meltdownspectre-patches

More details of a similar vector can be read from a research paper on Practical Keystroke Timing Attacks in Sandboxed JavaScript from Austrian Graz University of Technology:

Update: It seems that new critical issues exploiting Speculative Execution, called Skyfall and Solace vulnerabilities have been annouced. Stay tuned.

Written by Jorgé on Thursday January 4, 2018

Permalink - Tags: javascript, meltdown, spectre

« Razzle enables Universal JavaScript apps decoupled from frameworks and libraries - JSON Tree Shaking lands in Webpack 4.0 »