[German]Here’s a tip for users of devices, who are wondering, if their browser is vulnerable for Spectre attacks. The test is independent of the device and operating system and there is no need to install anything.
Some Background information
Experienced users are aware of this, so they can skip the section. Since this year we know about to attack methods called Meltdown and Spectre. With these attack methods somebody can attack the computer chips contained in each device by software and access unauthorized data.
This works with (malicious) programs and apps and theoretically even works in a browser when surfing the Internet. This could allow malicious attackers to steal passwords or other sensitive data from users’ devices.
The Meltdown method works only on systems with Intel chips and affects Apple’s macOS, Microsoft’s Windows and Linux. There are already updates that are supposed to make this attack method ineffective.
Unfortunately, there is a second attack method called Spectre, which affects almost all modern CPUs/chips in all kinds of technical devices and can even be used when browsing with a browser. So, on a malicious web page, you might try to read out the user’s device memory to access passwords stored in memory.
This could be mitigated by upgraded browsers that limit the ability to attack via Spectre. And that’s exactly what the blog post is about – how can I test whether my browser is secure (according to current knowledge)?
I would like to mention it briefly at this point. I use here the term Meltdown and Spectre as vulnerabilities. Actually, these are the names of the attack methods. The vulnerabilities have other names such as CVE-2017-5753 (Spectre 1, Bounds Check Bypass), CVE-2017-5715 (Spectre 2, Branch Target Injection) and CVE-2017-57 (Meltdown, Rogue Data Cache Load). To simplify writing, I’m using Meltdown and Spectre within my blog as synonyms for vulnerabilities. Above are 2 Spectre vulnerability mentioned. One can be updated by Browser patches. But there is a 2nd Spectre vulnerability that needs a microcode update for the CPU, which isn’t addressed within this blog post.
A first test tool for Windows
Yesterday I described a tool to scan Windows for Meltdown and Spectre (see Tool tip: Ashampo Spectre Meltdown CPU-Checker). But that tool is available for Windows only – and the test results doesn’t say anything about the browser’s vulnerability.
As soon as the above window appears, click Start Test and wait until the program has checked the computer. The Ashampoo Spectre Meltdown CPU Checker performs the test, evaluates the result and displays the results.
The screenshot above shows the results of a test on my production machine under Windows 7 SP1 and the last Monthly Rollup Update is installed. Actually, I expected the machine to be not vulnerable. But the test says something else: The meltdown gap is indicated as fixed. Spectre has not yet been fixed on this machine. Obviously the fix for Spectre 2 (that need a microcode update) is missing.
Is your browser vulnerable?
So I decided to search for a Spectre test that classifies, whether a browser is vulnerable or not. German Blog reader PiXi left a comment, pointing to a website from chinese security provider xlab.tencent.com. They are offering this test useable within any browser (just open the link. So I tested several browsers available on my Windows 7 SP1 production machine.
Internet Explorer 11 and Microsoft Edge
I’ve installed the Monthly Rollup Update KB4056894 (see Critical Security Updates for Windows 7/8.1/Server (01/03/2018)). So I launched IE 11 end entered this URL. That’s what IE 11 reported so far.
My Internet Explorer isn’t vulnerable to Spectre (1). In a 2nd step I decided to run also a test with Edge browser on Microsoft Windows 10. Here is the result: Edge isn’t vulnerable too.
What’s about Firefox 57.0.4?
I’ve Firefox version 57.0.4 as a portable app on my Windows 7 machine. According to Mozilla, this version has been patched against Spectre. Here is, what I got as a result – Firefox 57.0.4 isn’t vulnerable.
Google Chrome and Slimjet
At least I tried to check Google Chrome (and the derived Slimjet browser). Chrome will be patched at end of January 2018. But it’s possible to set the option Strict site isolation, to isolate tabs in browser (see How to mitigate Spectre in Google Chrome). Here is the test result from Google Chrome, hardened using Strict site isolation.
As mentioned within my blog post How to mitigate Spectre in Google Chrome; I’ve had the situation, where Google Chrome did not pass the Spectre vulnerability test successfully. Restarting the browser fixed this and Chrome was successful in Spectre tests.
The Slimjet-Browser 17.0.4 seems to be more critical. Although slimjet is a Chrome cloen, the approach using Strict site isolation seems not to work. I’ve activated that flag, but the test result shown below, says that the browser is vulnerable.
The test discussed above may be used also with other browsers and on other operating systems (macOS, iOS, Android, Linux).
Note about the accuracy of this test from tencent’s site: If the result is VULNERABLE, it is definitely true. However, if the result is NOT VULNERABLE, it doesn’t mean your browser is absolutely not vulnerable because there might be other unknown attacking methods.
Microsoft releases Windows 10 Patch to fix Intel Bug
Critical Updates for Windows and Browser (01/03/2018)
Critical Security Updates for Windows 7/8.1/Server (01/03/2018)
Windows 10: Critical Updates (01/03/2018)
Windows 7/8.1: Updates KB4056894, KB4056895 released
Tool tip: Ashampo Spectre Meltdown CPU-Checker
Microsoft Patchday: Office, Flash, Windows (January 9, 2018)
How to mitigate Spectre in Google Chrome