This blog post shows, how to mitigate Google Chrome browser against the Spectre attack using Strict site isolation.
The Spectre attack
Browser need to be patched
To avoid an information disclosure within a browser, developers has begun, to patch their browser against this vulnerability. Microsoft has updated Internet Explorer and Microsoft Edge browser on January 9, 2018 (Patchday). Also Mozilla’s developers has released Firefox 57.0.4, that contains a Spectre patch.
Google Chrome is intended to be patched till End of Januar 2018. So Chrome is vulnerable to Spectre method. But fortunately there is a cure, to mitigate the vulnerability, using the (experimental) Strict site isolation.
Mitigate Spectre in Chrome
The steps to mitigate Spectre in Google Chrome are simple. Just fire up Google Chrome (least recent version) and enter chrome://flags/#enable-site-per-process. This term shall show the settings for Strict site isolation (see next picture).
Click the Activate button near Strict site isolation and restart Google Chrome. This shall invoke Strict site isolation – but be aware, that this feature is highly experimental, as noted on the option description.
I’ve had situations, where Spectre vulnerability tests shows that my Google Chrome was vulnerable. Restarting the browser fixed the issue, and an 2nd test shows Google Chrome wasn’t vulnerable. You can use the techniques discussed within my blog post Test: Is my browser vulnerable for Spectre attacks? to test the browser.