New Versions of Spectre Vulnerability Found

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread
13 July 2018   148

The information about new vulnerabilities in the mechanism of work of processors is published. The attack is based on the principles of the Spectre operation and consists in restoring the data in the processor cache when the instructions are speculative. Chrome introduces strict isolation of sites.

How it works

Specter 1.1
It is based on the principles of the Specter 1. Unlike the previously identified vulnerability, the code is executed, not read. This causes the buffer to overflow and cache the results. This method of attacks allow to restore the contents of the cache and send information to third-party channels that analyze the access time to the cached and not pro-cached data.

Specter 1.2.
The principle of operation is similar to the execution of Spectra 1 scenarios, but memory areas with a "read only" flag are used. In doing so, Specter 1.2 only achieves the definition of pointer and metadata values ​​to bypass the constraints of sandbox environments.

Solution

The available methods for eliminating vulnerabilities require further development and modernization. One of the many scenarios involves adding LFENCE instructions to the application compilation process or at the hardware level. In addition, existing buffer overflow modes can also be an effective protection against vulnerabilities.

Browsers

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread. It is based on opening a page with a decorated JavaScript code and forms in JIT the necessary set of instructions for the attacker. This code execution script allows to read the contents of the process address space and get information about stored keys and passwords.

In this regard, Google introduces strict isolation of sites for 99% of users of Chrome 67. The mechanism is to place different pages of sites in the memory of different processors using a personal safe execution environment. The introduction of the strict isolation mode will increase the processor's memory consumption by the browser by 10-13%.

What's new in IntelliJ IDEA 2018.2?

New version of popular IDE improved Spring and Spring Boot support
18 July 2018   104

The new version of IDE IntelliJ IDEA from JetBrains under the number 2018.2 has introduced several functions for developers using Spring and Spring Boot frameworks. Among the innovations: support for Spring Integration, runtime diagrams, library bin management and many minor fixes and improvements.

New features of IntelliJ IDEA

Now you can visualize the components in the system using the new Spring Integration diagram. All versions above 5.0 are supported.

Spring Integratio Diagram
Spring Integration Diagram

It shows all the gateways, channels and bridges of the application, regardless of whether they are configured using Java or XML annotations.

The IDE also received code completion and navigation for such integration annotations as @BridgeTo/From and @EnablePublisher:

Integration Annotations
Integration Annotations

In the new version of IntelliJ IDEA, you can view the dependencies during the execution of the Spring Boot application as a diagram through the control panel. To do this, go to the "Endpoints" section and enable the "Diagram Mode" function:

Runtime Dependencies
Runtime Dependencies

If there are too many beans in the project, the non-user codes can be disabled using the new "Show / Hide Library Beans" switch:

Show / Hide library beans
Show / Hide library beans

In addition, in 2018.2, you can start, modify, and test the display of HTTP requests in the "Endpoints" tab:

HTTP request
HTTP request

A complete list of improvements and changes is available in the technical update document. According to the developers, a lot of work has been done to improve performance in large projects.