Security News

As Google security engineers pointed out, these mechanisms do not prevent the Spectre exploit, but rather "Protect sensitive data from being present in parts of the memory from which they can be read by the attacker." To further reduce the risk of data leakage, website owners should add an extra line of defense to protect the actual data in memory in the event that all other security controls.

Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against...

Google has released proof-of-concept exploit code, which leverages the Spectre attack against the Chrome browser to leak data from websites. Three years after the Spectre attack was first disclosed, researchers with Google have now released a demonstration website that leverages the attack, written in JavaScript, to leak data at a speed of 1 kilobyte per second when running on Chrome 88 on an Intel Skylake CPU. The researchers said they hope the PoC will light a fire under web application developers to take active steps to protect their sites.

Google last week announced the release of proof-of-concept code designed to exploit the notorious Spectre vulnerability and leak information from web browsers. In 2019, the Google team responsible for Chrome's V8 JavaScript engine said that the attack can't be mitigated at the software level, arguing that security boundaries in browsers should be aligned with low-level primitives, such as process-based isolation.

Google on Friday released proof-of-concept code for conducting a Spectre-based attack against its Chrome browser to show how web developers can take steps to mitigate browser-based side-channel attacks. The code, posted to GitHub, demonstrates how an attacker can pull data from device memory at speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. According to Google, the attack should work on other browsers, even those running on Arm-based Apple M1 chips.

Google has published JavaScript proof-of-concept code to demonstrate the practicality of using Spectre exploits targeting web browsers to access information from a browser's memory. According to the Google Security Team, the PoC shared today works across a wide range of processor architectures, operating systems, and hardware generations.

Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one. Last month, Mike West, a Google security engineer, drafted a note titled, "Post-Spectre Web Development," and Mozilla's Daniel Veditz of the W3C's Web Application Security Working Group asked the group to come to a consensus on supporting the recommendations.

A researcher revealed on Monday that some exploits for the notorious CPU vulnerability known as Spectre were uploaded recently to the VirusTotal malware analysis service. In a blog post titled Spectre exploits in the "Wild", researcher Julien Voisin shared a brief analysis of a Spectre exploit for Linux that had been uploaded to VirusTotal in early February.

Working exploits targeting Linux and Windows systems not patched against a three-year-old vulnerability dubbed Spectre were found by security researcher Julien Voisin on VirusTotal. Voisin found the two working Linux and Windows exploits on the online VirusTotal malware analysis platform.

IBM Power9 processors, intended for data centers and mainframes, are potentially vulnerable to abuse of their speculative execution capability. On Thursday IBM published a security advisory that explains, "IBM Power9 processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances."