2018 has barely started and we've already got our first big major security vulnerabilities of the year, with the media generating lots of deserved attention worldwide on them. In case you missed the news, two major CPU vulnerabilities have been disclosed by Google and several other researchers: Meltdown and Spectre
The purpose of this blog is not to repeat the excellent public sources of information on the issues and mitigations, but to look at how isolation technology removes the risk for users from these specific attack vectors.
Why it’s a big deal?
Unlike many vulnerabilities, which are operating system, browser, or plugin specific, these vulnerabilities go across all major OSs in use today. The size and scope of the impact of Spectre and Meltdown correlates to their relative hype in the media.
The Menlo Security Isolation platform ensures that the user environment is fully protected. Both of the new attacks require running code on the target to trigger speculative execution, side effects of which can then be observed to read content the attacker would not normally be able to access.
Both Mozilla and Chrome are working on patches to resolve the issue as we speak, with patches expected in late January. Chrome has made recommendations on Chrome configuration to mitigate the issue in the meantime (Chrome Strict site isolation) and Firefox versions 57 and up have also implemented a quick fix reducing the ability of websites to gain access to the precise CPU timing details that would be required to execute an attack.For more information on Menlo Security’s Isolation Platform, please refer to the data sheets and solution briefs at https://www.menlosecurity.com/resources-data-sheets.