At the start of 2018 details were first published of the theoretical Spectre attack which exploits flaws in the design of modern CPU to allow data to be stolen from memory. Now Google has published a working proof-of-concept.
The proof of concept released by Google’s security team runs on a current and fully patched version of Chrome – highlighting that Spectre cannot be mitigated by browser design or software alone.
Google’s security team has blogged about these initiatives and Security Managers should engage with their colleagues who develop web applications to ensure that the new cross-origin protections available are enabled – as they are off by default. This will not only help mitigate against Spectre but also other cross-origin attacks such as Cross Site Scripting and Cross Site Request Forgery.
A new guide is being published on Post-Spectre Web Development and is available on GitHub from the Google Chrome Security Team.