How to mitigate Spectre in Google Chrome

This blog post shows, how to mitigate Google Chrome browser against the Spectre attack using Strict site isolation.


The Spectre attack

Since last week some attack method Spectre is known. Spectre breaks the isolation of applications and browser tabs. Using this attack allows hackers to steal private and personal data from the processes running on other websites (or other application) by scanning the device's memory. The bad: This private data may include your login details too. To keep it clear: Spectre vulnerability lets a process read and steal the data of any other processes. This can be done, using JavaScript within a browser tab.

Browser need to be patched

To avoid an information disclosure within a browser, developers has begun, to patch their browser against this vulnerability. Microsoft has updated Internet Explorer and Microsoft Edge browser on January 9, 2018 (Patchday). Also Mozilla's developers has released Firefox 57.0.4, that contains a Spectre patch.

Google Chrome is intended to be patched till End of Januar 2018. So Chrome is vulnerable to Spectre method. But fortunately there is a cure, to mitigate the vulnerability, using the (experimental) Strict site isolation.

Mitigate Spectre in Chrome

The steps to mitigate Spectre in Google Chrome are simple. Just fire up Google Chrome (least recent version) and enter chrome://flags/#enable-site-per-process. This term shall show the settings for Strict site isolation (see next picture).

Chromium enable-site-per-process


Click the Activate button near Strict site isolation and restart Google Chrome. This shall invoke Strict site isolation – but be aware, that this feature is highly experimental, as noted on the option description.

I've had situations, where Spectre vulnerability tests shows that my Google Chrome was vulnerable. Restarting the browser fixed the issue, and an 2nd test shows Google Chrome wasn't vulnerable. You can use the techniques discussed within my blog post Test: Is my browser vulnerable for Spectre attacks? to test the browser.

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *