High Threat Security Alert (A18-01-04): Multiple Vulnerabilities in Browsers


 

Published on: 08 January 2018

  
  

Description:

Google Project Zero has published security reports on the speculative execution side-channel vulnerabilities on modern CPU microprocessors, named as Meltdown and Spectre. The vulnerabilities allow an unprivileged process reading data from the memory allocated for other programs, which was supposed to be isolated. To exploit the vulnerabilities, a remote attacker could entice a user to open a web page in a vulnerable browser with specially crafted content. Major browser vendors have published security advisories to address vulnerabilities.

Users are advised to take immediate action to patch the affected browsers to address the well-known Meltdown and Spectre CPU issues with elevated risks.

 

Affected Systems:

  • Firefox prior to version 57.0.4
  • Google Chrome
  • Microsoft Internet Explorer 9, 10, 11
  • Microsoft Edge

 

Impact:

Depending on the vulnerabilities exploited, a successful attack could lead to arbitrary code execution, elevation of privilege, or information disclosure.

 

Recommendation:

Major browser vendors have released patches or workarounds to address the issues. Details about the patches or workarounds are summarised as follows:

  • Mozilla Firefox 57.0.4
    Mozilla has released a new version of Firefox to address the issues and it can be downloaded at the following URL:
    https://www.mozilla.org/en-US/firefox/all

  • Google
    Google has not released an updated version. Google suggests to enable the Full Site Isolation by entering the following URL in Chrome browser:
    chrome://flags/#enable-site-per-process
    The browser is required to relaunch to make the changes effective.

  • Microsoft Internet Explorer 9, 10, 11 and Microsoft Edge
    Patches are available from the Windows Update / Microsoft Update Catalog. Details could be referred to the previous high threat security alert A18-01-03.

Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
https://support.google.com/faqs/answer/7622138#chrome
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://www.us-cert.gov/ncas/current-activity/2018/01/04/Mozilla-Releases-Security-Update
https://www.us-cert.gov/ncas/alerts/TA18-004A
https://www.hkcert.org/my_url/en/alert/18010401
https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance
https://meltdownattack.com/
https://spectreattack.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0766 (to CVE-2018-0770)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0772 (to CVE-2018-0778)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0803

 



Tag: Microsoft , Internet Explorer , Edge , Firefox , Chrome , Mozilla , Google , Meltdown , Spectre
Tags