Google reported that Spectre and Meltdown vulnerabilities keep infecting devices with Intel processors. Thus, the company releases additional security patches for Chrome OS.
Hackers can exploit the Meltdown and Spectre attacks for bypassing memory isolation mechanisms and accessing target sensitive data.
Meltdown could let hackers read the physical memory of the target computers and steal users’ credentials, personal information, etc. The attack exploits the speculative execution breaching the isolation between user applications and the operating system, so that any application can access all system memory.
Spectre lets user-mode applications extract data from other processes running on the same system. The attack can also be exploited for extracting information from its own process via code. For instance, a malicious JavaScript can be used to extract login cookies for other websites from the browser’s memory.
Spectre breaks the isolation between different applications, allowing to leak data from the kernel to user programs, as well as from virtualization hypervisors to guest systems.
The Meltdown attacks target the CVE-2017-5754 vulnerability, while the Spectre attacks trigger the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).
The security researchers claim that only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors.
The Meltdown issue in Chrome OS was addressed in December when Google released version 63, tens of days before the experts at Google Project Zero disclosure the flaws.
The company released the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Lenovo, Dell, Acer, HP, ASUS, and Samsung.
A few days ago, Google released Chrome OS 65 which also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.
In addition, the company stated that all older Chromebooks versions with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66, scheduled for release on April 24, 2018.
“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” the Google announcement states.
“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65. All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”
The Chrome OS 65 release also features the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices.
The experts at Google pointed out that for Spectre Variant 1 attack, cybercriminals can abuse the eBPF feature in the Linux kernel, however, Chrome OS disables eBPF.
Currently, the Google team is working to cover all the Spectre issues. Chrome OS devices running on ARM-based systems cannot be affected by Meltdown.
