The Feasibility of Exploiting Web Apps using Meltdown or Spectre
In the beginning of 2018 a massive set of vulnerabilities in processor (CPU) level were uncovered. These affect many common Intel processors, but some AMD and ARM architecture processors are also affected. The amount of hardware affected is immense. These were soon branded as Meltdown and Spectre vulnerabilities by the security community and picked up by the media from there on.
The issue is so low level, that even web browsers, traditionally a secure sandboxed environment, are impacted. I've understood that the vulnerabilities abuse Speculative Execution, a technique for improving performance that takes calculated risks on what should be executed. These risks have realised and the vulnerability can be used to read content from memory - but not execute any additional code.
However, if you do visit a web application that executes code that exploits a vulnerability, the attacker has access to any part of your memory. For web applications running in the browser this might not be as fatal as it sounds. As far as I understand it is not trivial to come up with universal exploit to gain reliable access to passwords and other sensitive data from the host running the browser. I might be wrong.
Compared to a popular web application like WordPress, I feel this is far more difficult to exploit. A web application’s scope is much more limited and attackers have higher level access that allows them to make changes to the running system, or easily access data in the database and filesystem. Attackers are opportunistic and low level attacks need resources not available to as many as app level vulnerabilities.
If a major web property like Facebook or Google gets compromised or a universally useful exploid comes available and widespread, we'll all be royally fscked. For now developers should not panic and swiftly apply updates as they come available and advise customers to do the same: Keep your operating system and browser up to date and exercise caution when browsing and downloading content from the internet.
Please note that I am not a security expert, so this is a layman's view of what implications Meltdown and Spectre have for web applications and their developers. So keep that in mind and let me know on Hacker News post comments if you see glaring omissions or false information that needs correction.
-- Jani Tarvainen, 03/01/2018