Security News > 2021 > March > Google Releases PoC Exploit for Browser-Based Spectre Attack
![Google Releases PoC Exploit for Browser-Based Spectre Attack](/static/build/img/news/alt/phishing-statistics-cybersecurity-scaled-medium.jpg)
Google last week announced the release of proof-of-concept code designed to exploit the notorious Spectre vulnerability and leak information from web browsers.
In 2019, the Google team responsible for Chrome's V8 JavaScript engine said that the attack can't be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.
To keep their users safe, browser makers have already implemented protections such as Site Isolation, Cross-Origin Read Blocking, and out-of-process iframes, with a variety of security features available for other application developers as well, including Cross-Origin Resource and Cross-Origin Opener Policies, and more.
In order to assess the effectiveness of such mitigations, Google's researchers have released JavaScript PoC code functional across multiple operating systems, architectures, and hardware variants, and which "Confirms the practicality of Spectre exploits against JavaScript engines."
"The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes," Google explains.
In addition to releasing the PoC, Google is making recommendations on how web developers can improve site isolation to deny access to cross-origin resources, thus effectively mitigating Spectre-style hardware attacks, among others.
News URL
Related news
- New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
- Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) (source)
- PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers (source)
- Microsoft fixes a bug abused in QakBot attacks plus a second under exploit (source)
- PoC exploit for Ivanti EPMM privilege escalation flaw released (CVE 2024-22026) (source)
- GHOSTENGINE Exploits Vulnerable Drivers to Disable EDRs in Cryptojacking Attack (source)
- Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern (source)
- Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024 (source)
- Arc browser’s Windows launch targeted by Google ads malvertising (source)