Your new post is loading...
Mozilla confirms everybody's worst fears
In research published online late last night, Google didn't provide specific ways in which an attack could take place, but many security experts that looked over the Meltdown and Spectre academic papers said that web-based attacks are possible, and not just attacks using locally-delivered malicious code.
Hours after Google's announcement, Mozilla confirmed everybody's worst fear, that both Meltdown and Spectre are remotely exploitable by embedding attack code in mundane JavaScript files delivered via web pages.
"Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins," said Luke Wagner, a software engineer with the Mozilla Foundation.
Firefox added Meltdown and Spectre mitigations in November 2017
Details about the Meltdown and Spectre flaws had been shared with Mozilla since last year, and Wagner says that Firefox 57, released in mid-November, already includes some countermeasures.
Both Meltdown and Spectre are side-channel attacks that produce leak memory data. They both rely on the ability to very precisely measure time to deliver exploits that leak memory data.
To hinder the attacks' efficiency, Mozilla says it reduced the precision of Firefox's internal timer functions. This is not a full mitigation, but just an efficient and clever workaround.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Meltdown+and+Spectre+Attacks
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/securite-pc-et-internet
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Meltdown+and+Spectre+Attacks