JavaScript Spectre/Meltdown FAQ

The security flaw in CPU's speculative execution feature was unearthed in early 2018. This is a significant security vulnerability and is likely to be exploited by malicious attackers. Sandboxed JavaScript code in web sites and web applications can be used to exploit the vulnerability.

Here is a brief FAQ regarding browsers and the Spectre/Meltdown vulnerability in AMD, Intel and ARM CPUs.

• Q: Is JavaScript vulnerable in my browser?
  A: Yes, browsing a web can give access to third parties to your machines memory beyond the browser.
• Q: Is the threat real or mostly theoretical?
  A: The threat is real, but because if the nature of the vulnerability it is not trivial to come up with a universal exploit to get valuable information. Vulnerabilities in web applications like WordPress are much more uniform and easy to exploit due to their restricted scope.
• Q: Can and are browser vendors creating fixes?
  A: Yes, browser vendors can minimise the likelyhood of the vulnerability being exploited. Microsoft, Google and Mozilla have already undertaken measures and browsers will be updated.
• Q: If my Operating System has been patched will this solve the issue for JavaScript too?
  A: Yes, the underlying Operating System update to Windows, macOS or Linux will make the issue obsolete even if you are using a browser that has no fix.
• Q: Is Node.js running on the server vulnerable to this issue?
  A: Yes, but as the code only runs on the server, malicious third parties can not execute JavaScript code in your local environment. Naturally, you will need to ensure your shared hosting environment (cloud, VPS, etc.) is up to date.
• Q: Is there an update available Operating System or Browser already updated to patch the Meltdown and Spectre vulnerabilities?
  A: An easy way to track updates centrally is a GitHub page that tracks the status of updates for Browsers like Chrome, Firefox, and popular operating systems like Android, Windows, macOS, and iOS for iPhones and iPads. You can find the page here: meltdownspectre-patches
• Q: Will using incognito or private mode protect me from Spectre vulnerability?
  A: No, attackers can bypass any security feature - inclusing private modes in Chrome, Firefox and Safari browsers
• Q: If I use a shared computer in a library or a shared smartphone, how do I know if the device is vulnerable
  A: When using an unknown device that you are not sure that is protected, you should visit the Spectre JavaScript vulnerability check before continuing browsing
• Q: Does this information relate to Skyfall and Solace vulnerabilities?
  A: The Skyfall and Solace vulnerabilities were a hoax
• Q: Is Linux vulnerable?
  A: Yes, but there is an already an update to the Linux Kernel that mitigates them
• Q: What is the difference between Spectre v1 and v2?
  A: There are two variants of the Spectre vulnerability which need fixes of their own. So technically there are three vulnerabilities in the series.
• Q: Why did Microsoft roll back the Spectre fix?
  A: Microsoft rolled back a Spectre v2 fix in Windows due to instability and memory corruption. Users can expect further fixes in the future.
• Q: What are MeltdownPrime and SpectrePrime?
  A: These are a new attack using the same vulnerabilities. MeltdownPrime and SpectrePrime were unveiled in February 2018.

Written by Jorgé on Thursday January 4, 2018

Permalink -

« React.js Patents - Meltdown/Spectre JavaScript Exploit Example Code »