Google: Chrome now protects you from Spectre password-stealing attacks

Chrome 67 for Mac, Windows has just added extra defenses against Spectre-style data-stealing attacks.






Google says a new security feature in Chrome should make it harder for malicious websites to use a Spectre-style attack to steal data or passwords from other sites open as tabs in the same browser.

The company has now enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS in Chrome 67, the latest version of its browser.

"This means even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker," said Google software engineer Charlie Reis.

"This significantly reduces the threat posed by Spectre."

The Spectre attacks, which were made public in January, effectively allow malicious code to read any memory in a process's address space.

This flaw matters more for browsers because they run JavaScript code from multiple websites, often in the same process, which could allow a website to use such an attack to steal information from other websites.

Google said Site Isolation is a large change to Chrome's architecture, limiting each renderer process to documents from a single site. This means all navigations to cross-site documents cause a tab to switch processes.

Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes," Reis said.

However, because Site Isolation does cause Chrome to create more renderer processes this means there is a performance impact -- about a 10 to 13 percent total memory overhead in real workloads due to the larger number of processes.

Google said Site Isolation has been enabled for 99 percent of users on Windows, Mac, Linux, and Chrome OS in Chrome 67. It has held back one percent to monitor performance.

Comments are closed.

%d bloggers like this: