Born: Is my browser vulnerable for Spectre attacks?

Topic

New Reply

Günter Born has an important recap of the the test website xlab.tencent.com, which has a tool that can check to see if your browser is currently susce
[See the full post at: Born: Is my browser vulnerable for Spectre attacks?]

10 users thanked author for this post.

Elly, Ascaris, PerthMike, JDeC, AJNorth, SueW, Tiernan, satrow, lurks about, MrBrian

Reply | Quote

Replies

If I recall from seeing the source code for this test, this test will always report “not vulnerable” if a browser feature called SharedArrayBuffer is not available. SharedArrayBuffer provides a source of timers that a Spectre attack needs, but there are other sources available. There is probably no test that could prove that a browser isn’t vulnerable to Spectre.

7 users thanked author for this post.

Elly, Noel Carboni, Great Lake Bunyip, AJNorth, abbodi86, Tiernan, AlexEiffel

Reply | Quote

Yes, it doesn’t mean much. Probably anyone who will develop a working exploit for javascript will have found an alternative way to obtain reliable time and will have tested it against a patched Firefox, IE, Chrome, etc.

4 users thanked author for this post.

Noel Carboni, Great Lake Bunyip, AJNorth, MrBrian

Reply | Quote

Indeed

my Opera 12.18 reported not vulnerable, likewise FlashPeak Slimjet (old version from 2016)

5 users thanked author for this post.

Elly, Noel Carboni, Great Lake Bunyip, AJNorth, MrBrian

Reply | Quote

From https://twitter.com/bojanz/status/950458779744825344: “Tencent released a PoC for #spectre at http://xlab.tencent.com/special/spectre/exploit/check.js … Won’t work with patched browsers due to usage of SharedArrayBuffer”

2 users thanked author for this post.

Great Lake Bunyip, abbodi86

Reply | Quote

I tested an old portable Firefox (v33.x — which definitely has no SharedArrayBuffer feature, as opposed to it being disabled) at Tencent-Xuanwu Lab’s Spectre Online Checker, & the result is instantaneously given as:

$ Start checking…
$
$ According to our checking
$ Your browser is NOT VULNERABLE to Spectre

This is despite the fact that Javascript is enabled, & neither the CPU nor the Win OS kernel is patched against Meltdown-Spectre.

I suppose the online test only checked for the possibility of SharedArrayBuffer-type exploits, but the real world of black hats probably can come up with more tricks.

4 users thanked author for this post.

SueW, Elly, MrBrian, Great Lake Bunyip

Reply | Quote

Brave is rated as ‘Vulnerable’ also. Just checked it.

Reply | Quote

Pale Moon 27.6.2 (64 bit) is listed as not vulnerable by this test.

Reply | Quote

The 32 bit version of Pale Moon 27.6.2 also shows as not vulnerable.

Reply | Quote

Opera is labeled as vulnerable

Reply | Quote

My Firefox 56.0.2 check says not vulnerable.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

It’s way too early to tell. The test must first be reliable.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Tested the latest Firefox ESR 52.5.3 (64-bit) on Win 7 Pro machines and a cheap Win 10 tablet. All show as not vulnerable. But as many have said, this isn’t enough to “rest assured”.

Especially for me with older Core i5 CPUs on Lenovo T410 machines and Lenovo Edge 15 (E50) machines, neither of which are supported by Lenovo now. Processor microcode will likely not be developed by Intel nor issued as a BIOS update by Lenovo.

All our machines are in good shape and do what we need at present. As retirees, we are not excited about having to buy all new machines, let alone having to deal with them being (ugh..) Win 10, though making them Linux is probably our future path….

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

2 users thanked author for this post.

HiFlyer, Great Lake Bunyip

Reply | Quote

Hi Steven S.:

From the Mozilla Security Blog entry Mitigations Landing for New Class of Timing Attack:

“Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.”

That same blog entry notes that Firefox v57.0.4 update (released 03-Jan-2018) fixed two timing mitigations [SharedArrayBuffer and performance.now()] for the Spectre vulnerability, and other timing sources and time-fuzzing techniques are still being worked on.

According to the Chromium.org article Actions Required to Mitigate Speculative Side-Channel Attack Techniques:

“Chrome has disabled SharedArrayBuffer on Chrome 63 starting on Jan 5th, and will modify the behavior of other APIs such as performance.now, to help reduce the efficacy of speculative side-channel attacks. This is intended as a temporary measure until other mitigations are in place…Chrome’s JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018.”
————
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

2 users thanked author for this post.

SueW, Steve S.

Reply | Quote

Tested my beloved SeaMonkey 2.49.1 and it says it’s not vulnerable. Of course, I first had to tell NoScript to allow the test.

Reply | Quote

I tried to do the vulnerability check, but the page never changed after clicking the CHECK button… Until I noticed the email alert from my firewall that showed that it had blocked the high-security threat. So that was a very useful check of our security!

I fully expected the browser to show up as vulnerable as we haven’t patched IE since December, but the firewall is protecting us in the meantime.

Happy days!

No matter where you go, there you are.

Reply | Quote

Thanks for letting us fingerprint your computer!

Sincerely,

Tencent and Chinese Government

4 users thanked author for this post.

SueW, Elly, OscarCP, Noel Carboni

Reply | Quote

I believe that any web browser used on a device that is vulnerable to Spectre is vulnerable to Spectre, unless the web browser doesn’t allow JavaScript or other programmability.

“The browser rendering engine WebKit‘s developers have written blog post What Spectre and Meltdown Mean For WebKit, parts of which are probably applicable to web browsers in general:”

1 user thanked author for this post.

geekdom

Reply | Quote

But isn’t JavaScript (as opposed to Java plugins) needed for maintaining a good deal of a browser’s functionality?

Is this a “d***ed if you do, d***ed if you don’t” situation?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

“But isn’t JavaScript (as opposed to Java plugins) needed for maintaining a good deal of a browser’s functionality?”

Yes, but one can use an ad blocker and/or selectively allow which domains JavaScript can run from.

2 users thanked author for this post.

Noel Carboni, OscarCP

Reply | Quote

With Chrome you can enable site isolation but its going to eat up RAM and could break some sites. Google cautions its still experimental.  I suspect eventually some of this will end up in the browsers by default in a few months. Not surprising given the hardware is not changing or 100% fixed, so browsers will be part of the solution.

Reply | Quote

For those of us running Linux Mint, there’s this from their Website (some of it may be of use in Windows as well):
Firefox 57.0.4
Firefox was patched. Please use the Update Manager to upgrade it to version to 57.0.4.
NVIDIA 384.111</p>
If you are using the NVIDIA proprietary drivers, upgrade them to version 384.111.
In Linux Mint 17.x and 18.x, this update is available in the Update Manager.
In LMDE, it is available on the NVIDIA Website.

Chrome Site Isolation
If you are using Google Chrome or Chromium, please follow the steps below:
Type chrome://flags in the address bar and press Enter.
Scroll down the page and find “ and press the Enable button.
Restart the Chrome browser.
https://www.chromium.org/Home/chromium-security/ssca

Opera
If you are using the Opera browser, visit opera://flags/?search=enable-site-per-process, click Enable and restart Opera.

Linux Kernel
Please use the Update Manager to upgrade your Linux kernel.
The following versions were patched:</p>
3.13 series (Linux Mint 17 LTS): patched in 3.13.0-139
3.16 series (LMDE): patched in 3.16.51-3+deb8u1
4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
4.13 series (Linux Mint 18 HWE): patched in 4.13.0-25

Note: The current HWE series in Linux Mint 18 moved from 4.10 to 4.13.
Some users reported issues with early kernel updates (4.4.0-108 issues in particular were fixed since in 4.4.0-109). We strongly recommend you use Timeshift to create a system snapshot before applying the updates. Timeshift is installed by default in Linux Mint 18.3 and available in the repositories for all Linux Mint 17.x and 18.x releases.

Intel Microcode
Please use the Update Manager to upgrade intel-microcode to version 3.20180108.0.
Note: If intel-microcode isn’t installed on your computer, run the Driver Manager to see if it’s needed.

Edit to remove HTML> May not appear as poster intenede.
PLEASE convert to plain text before cut/paste

Reply | Quote

I’m told from user that Win10 Opera 50 tested as not vulnerable

Reply | Quote