Articles, trends, and advice on cloud security without compromise. Keep up with the latest blog insights on web isolation, network cybersecurity, malware, and more.


Isolating Meltdown & Spectre

iStock-591433872 600x300-3.jpg

2018 has barely started and we've already got our first big major security vulnerabilities of the year, with the media generating lots of deserved attention worldwide on them. In case you missed the news, two major CPU vulnerabilities have been disclosed by Google and several other researchers: Meltdown and Spectre 

The purpose of this blog is not to repeat the excellent public sources of information on the issues and mitigations, but to look at how isolation technology removes the risk for users from these specific attack vectors.

In recent days we have seen both Google and Mozilla, owners of the two most popular web browsers, confirm that their browsers are vulnerable to exploits that could use JavaScript on a webpage to initiate an attack that exploits these two new vulnerabilities. The attack would enable an attacker to get access to stored browser passwords, emails, and many other aspects of your day-to-day life on your PC. 

Why it’s a big deal?

Unlike many vulnerabilities, which are operating system, browser, or plugin specific, these vulnerabilities go across all major OSs in use today. The size and scope of the impact of Spectre and Meltdown correlates to their relative hype in the media.

Browser Isolation

The Menlo Security Isolation platform ensures that the user environment is fully protected. Both of the new attacks require running code on the target to trigger speculative execution, side effects of which can then be observed to read content the attacker would not normally be able to access.                                

Since the inception of Menlo Security in 2014, the vision of the company has been focused on removing the risk of the browser without losing the user experience. The use of JavaScript has been used in several proof of concepts created by Google and other researchers to show how trivial it is to deliver to targets via a webpage using embedded JavaScript. At time of writing, no threat actors are known to be using the exploits to deliver attacks yet.

Both Mozilla and Chrome are working on patches to resolve the issue as we speak, with patches expected in late January. Chrome has made recommendations on Chrome configuration to mitigate the issue in the meantime (Chrome Strict site isolation) and Firefox versions 57 and up have also implemented a quick fix reducing the ability of websites to gain access to the precise CPU timing details that would be required to execute an attack.

For more information on Menlo Security’s Isolation Platform, please refer to the data sheets and solution briefs at

Tags: browser-based attacks, remote browsers, web-based vulnerabilities, isolation technology

Connect with us

Lists by Topic

see all

Recent Posts