New Versions of Spectre Vulnerability Found

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread
13 July 2018   1592

The information about new vulnerabilities in the mechanism of work of processors is published. The attack is based on the principles of the Spectre operation and consists in restoring the data in the processor cache when the instructions are speculative. Chrome introduces strict isolation of sites.

How it works

Specter 1.1
It is based on the principles of the Specter 1. Unlike the previously identified vulnerability, the code is executed, not read. This causes the buffer to overflow and cache the results. This method of attacks allow to restore the contents of the cache and send information to third-party channels that analyze the access time to the cached and not pro-cached data.

Specter 1.2.
The principle of operation is similar to the execution of Spectra 1 scenarios, but memory areas with a "read only" flag are used. In doing so, Specter 1.2 only achieves the definition of pointer and metadata values ​​to bypass the constraints of sandbox environments.

Solution

The available methods for eliminating vulnerabilities require further development and modernization. One of the many scenarios involves adding LFENCE instructions to the application compilation process or at the hardware level. In addition, existing buffer overflow modes can also be an effective protection against vulnerabilities.

Browsers

Chrome / Chromium, Edge, Safari and other browsers based on WebKit and Blink are under the thread. It is based on opening a page with a decorated JavaScript code and forms in JIT the necessary set of instructions for the attacker. This code execution script allows to read the contents of the process address space and get information about stored keys and passwords.

In this regard, Google introduces strict isolation of sites for 99% of users of Chrome 67. The mechanism is to place different pages of sites in the memory of different processors using a personal safe execution environment. The introduction of the strict isolation mode will increase the processor's memory consumption by the browser by 10-13%.

Frontend News Digest 5 - 11.10

Three dots in JavaScript, when to use map instead of plain JS object, how to make first React Nattive app and much more
11 October 2019   114

Greetings! I hope your week went great! Here's new Frontend news digest.

One of the greatest things is this digest for newbies is a guid on how to create your first React Native app. Others may learn about the latest NestJS Addons: In-Memory DB update, three dots in JavaScript and interview with "adult" website dev

Guides

  • Clipping, Clipping, and More Clipping! 

Guide on how to use the CSS clip-path property to create interesting effects.

  • Trying to Make Sense of Gmail CSS Support

Highly specialized, but valuable for some specialists guide

  • The tale of three dots in Javascript

Tutorial about the usage of "three consecutive dots" in JS

  • When to Use Map instead of Plain JavaScript Object

Everything should be understandable from the heading, I believe.

  • How to make your first React Native app

You gonna learn how to create a new mobile appl using React Native Starter

Articles

  • ASPIRE: Ideals to Aspire to When Building Websites

Skilled developer made the case that sites should aspire to be Accessible, Secure, Performant, Inclusive, Responsive and Ethical.

  • Interview with Pornhub Team developer

Interesting interview with a guy that works for one of the most popular "adult" websites

  • Verify Phone Numbers On The Web with The SMS Receiver API

Preview of the in-development SMS Receiver API

Updates

  • Node Code Formatter

Automatically formats your code with your preferred code formatter

  • NestJS Addons: In-Memory DB

New version with built-in entity CrUD Controllers, whatever they are