Originally posted by nanonyme
View Post
This was enough that I had to replace all browsers as soon as they have been rebuilt to mitigate SPECTRE, and thankfully do not use any Intel boxes with branch prediction (vulnerable to Meltdown) online at all. Since Spectre is about using timing to export data, FF devs have modified FF to greatly reduce the resolution of any timing information exported by the browser. This both blocks the obvious ways to use JS on it with Spectre and probably (not sure if this is always through the new code) also weakens clock skew as a fingerprinting tool.
Another defense is always blocking a website from using JS (code run on your machine!) at intial lode and never letting unknown or untrusted sites use it at all. A random porn site carrying keyloggers and trojans (haha...) can't get you if you don't allow it to run scripts and just treat it as broken when it doesn't load images or video as a result. A malicious ad with a ransomware payload probably won't be seen at all.
One advantage most Linux user will get is this: even the best of cross-platform exploits are usually used by cops and criminals alike to install Window malware unless a known Linux user is individually targettted. For instance, the whole Freedom Hosting mess was the use by the FBI of a vulnerablity in certain versions of Firefox to install FBI spyware in Tor user's computers if they visited certain .onion (Tor-only) sites on Freedom Hosting. I do not know if the server-side malware was only on the targetted kiddie porn sites or all sites on Freedom Hosting. Here's the kicker: the server side code leveraged a cross-platform exploit, but the code it installed (the CIPAV) only ran on Windows! On top of all else, the installer also required javascript. Thus, the only vulnerable users were those who ran an obsolete version of Torbrowser on Windows and enabled JS on the offending site.
The FF vulnerability was a memory issue, so I suspect that use of SPECTRE or Meltdown by the FBI or even the NSA would also follow this model. Not a guarantee though, as if you are known to use Linux and are individually targetted they won't waste their time on Windows payloads. Fortunately for most readers here, the FBI is reluctant to deploy CIPAVs or other spyware against anyone considered a hacker, for fear it will be detected and captured rather than do its job. Once it gets decompiled and the resulting source published, they both both the ability to hide it (virus scan authors etc will target it) and to keep it from being re-used the way the NSA's Eternal Blue exploit was re-used by ransomware creeps.
Comment