Here is a brief FAQ regarding browsers and the Spectre/Meltdown vulnerability in AMD, Intel and ARM CPUs.
A: Yes, browsing a web can give access to third parties to your machines memory beyond the browser.
Q: Is the threat real or mostly theoretical?
A: The threat is real, but because if the nature of the vulnerability it is not trivial to come up with a universal exploit to get valuable information. Vulnerabilities in web applications like WordPress are much more uniform and easy to exploit due to their restricted scope.
Q: Can and are browser vendors creating fixes?
A: Yes, browser vendors can minimise the likelyhood of the vulnerability being exploited. Microsoft, Google and Mozilla have already undertaken measures and browsers will be updated.
A: Yes, the underlying Operating System update to Windows, macOS or Linux will make the issue obsolete even if you are using a browser that has no fix.
Q: Is Node.js running on the server vulnerable to this issue?
Q: Is there an update available Operating System or Browser already updated to patch the Meltdown and Spectre vulnerabilities?
A: An easy way to track updates centrally is a GitHub page that tracks the status of updates for Browsers like Chrome, Firefox, and popular operating systems like Android, Windows, macOS, and iOS for iPhones and iPads. You can find the page here: meltdownspectre-patches
Q: Will using incognito or private mode protect me from Spectre vulnerability?
A: No, attackers can bypass any security feature - inclusing private modes in Chrome, Firefox and Safari browsers
Q: If I use a shared computer in a library or a shared smartphone, how do I know if the device is vulnerable
Q: Does this information relate to Skyfall and Solace vulnerabilities?
A: The Skyfall and Solace vulnerabilities were a hoax
Q: Is Linux vulnerable?
A: Yes, but there is an already an update to the Linux Kernel that mitigates them
Q: What is the difference between Spectre v1 and v2?
A: There are two variants of the Spectre vulnerability which need fixes of their own. So technically there are three vulnerabilities in the series.
Q: Why did Microsoft roll back the Spectre fix?
A: Microsoft rolled back a Spectre v2 fix in Windows due to instability and memory corruption. Users can expect further fixes in the future.
Q: What are MeltdownPrime and SpectrePrime?
A: These are a new attack using the same vulnerabilities. MeltdownPrime and SpectrePrime were unveiled in February 2018.
Written by Jorgé on Thursday January 4, 2018
« React.js Patents