The flaws are embedded in the kernel operations within a system. When a command is sent to perform any task, the CPU passes control to the kernel, which stays below the surface in processes even once the CPU takes back control. This is to ensure smoother and faster performance, but also means systems are potentially at risk at kernel level. Attackers can make use of JavaScript code in the browser to potentially read memory in a user’s machine. In a bid to help, browsers have also implemented security measures, including Mozilla’s Firefox. Version 57.0.4 introduces a workaround that should make its users safer. The main change is an adjustment to the time sources in the browser, making them less precise. “Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox,” explained Mozilla. “This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.” However, Mozilla is also looking at more long-term solutions. It’s keeping the details close to its chest for now, but it involves removing the information leak closer to its source.
Google Chrome Patch Coming
Mozilla’s patch follows Microsoft’s, who implemented a very similar method in Edge and Internet Explorer, as well as changes to Windows. Chome, which makes up the majority of the browser market share, is yet to release a patch. However, Google has revealed that a release is in the works. It will come with Chrome 64, which is set to release on January 24. In the meantime, users can enable Site Isolation, which isolates webpages into separate address spaces. Even so, some believe that the only way to truly fix Spectre and Meltdown is hardware replacement, including CERT. If correct, it could become very expensive for chip makers.