01-06-2018 , 03:04 AM
http://news.softpedia.com/news/google-ch...9245.shtml Google Chrome to Get Meltdown and Spectre Patches on January 23
A method to remain protect already exists though
Jan 5, 2018 10:53 GMT · By Bogdan Popa
Microsoft has already shipped updates to keep Edge users protected against the recently discovered CPU flaws and Mozilla did the same thing with the release of Firefox 57.0.4 only a few hours ago.
Google, on the other hand, which ironically is the company that discovered the said Meltdown and Spectre vulnerabilities, won’t deliver patches for Chrome browser until January 23 when version 64 is expected to ship.
“Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack,” Google says.
Just like Microsoft and Mozilla, Google Chrome 64 will disable SharedArrayBuffer by default and modify the behavior of performance.now() by reducing precision from 5µs to 20µs in order to block exploits attempting to take advantage of the security vulnerabilities.
Google acknowledges that “a performance penalty” might be experienced after making these changes, but says that they’re both only temporary until other mitigations are developed and the current functionality of the browser can be restored.
How to stay protected until Chrome 64 lands
In the post on the Chromium project site, Google explains that users can already remain protected against the two security bugs if they enable Site Isolation, an experimental feature which by default comes turned off in the stable versions of Chrome browser.
To enable Site Isolation, users only have to type chrome://flags#enable-site-per-process in the current stable version of Chrome browser and click Enable on the button next to the highlighted option. By default, this option creates a dedicated process for absolutely all websites, thus preventing them from sharing data with other sites and thus preventing attackers from stealing data.
With no other parameters configured, this feature isolates all sites, but you can also configure it only for specific websites using the following commands:
For just one site:
--isolate-origins=https://example.com
For multiple sites (notice the comma):
--isolate-origins=https://example.com,https://example2.com
A method to remain protect already exists though
Jan 5, 2018 10:53 GMT · By Bogdan Popa
Microsoft has already shipped updates to keep Edge users protected against the recently discovered CPU flaws and Mozilla did the same thing with the release of Firefox 57.0.4 only a few hours ago.
Google, on the other hand, which ironically is the company that discovered the said Meltdown and Spectre vulnerabilities, won’t deliver patches for Chrome browser until January 23 when version 64 is expected to ship.
“Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack,” Google says.
Just like Microsoft and Mozilla, Google Chrome 64 will disable SharedArrayBuffer by default and modify the behavior of performance.now() by reducing precision from 5µs to 20µs in order to block exploits attempting to take advantage of the security vulnerabilities.
Google acknowledges that “a performance penalty” might be experienced after making these changes, but says that they’re both only temporary until other mitigations are developed and the current functionality of the browser can be restored.
How to stay protected until Chrome 64 lands
In the post on the Chromium project site, Google explains that users can already remain protected against the two security bugs if they enable Site Isolation, an experimental feature which by default comes turned off in the stable versions of Chrome browser.
To enable Site Isolation, users only have to type chrome://flags#enable-site-per-process in the current stable version of Chrome browser and click Enable on the button next to the highlighted option. By default, this option creates a dedicated process for absolutely all websites, thus preventing them from sharing data with other sites and thus preventing attackers from stealing data.
With no other parameters configured, this feature isolates all sites, but you can also configure it only for specific websites using the following commands:
For just one site:
--isolate-origins=https://example.com
For multiple sites (notice the comma):
--isolate-origins=https://example.com,https://example2.com