The Feasibility of Exploiting Web Apps using Meltdown or Spectre

In the beginning of 2018 a massive set of vulnerabilities in processor (CPU) level were uncovered. These affect many common Intel processors, but some AMD and ARM architecture processors are also affected. The amount of hardware affected is immense. These were soon branded as Meltdown and Spectre vulnerabilities by the security community and picked up by the media from there on.

The issue is so low level, that even web browsers, traditionally a secure sandboxed environment, are impacted. I've understood that the vulnerabilities abuse Speculative Execution, a technique for improving performance that takes calculated risks on what should be executed. These risks have realised and the vulnerability can be used to read content from memory - but not execute any additional code.

First of all, the whole issue is very real and there can be significant implications and security breaches as a result. Whether it is critical to developers creating mainstream Web Applications and how likely it is to be exploited in this setting is another thing. It has been shown that JavaScript, the language that powers applications running in browsers, can be used to access arbitrary data from host computer's memory.

This is something unheard of to web developers, and something that they are not accustomed to handling. Regular input validation, etc. staple security practises for web developers don’t apply as the vulnerability enables JavaScript code can circumvent the browsers security boundaries completely. To execute malicious code in your browser, the attacker would need to have you execute malicious code in the first place - something that is undesirable regardless of whether your CPU is affected or not.

However, if you do visit a web application that executes code that exploits a vulnerability, the attacker has access to any part of your memory. For web applications running in the browser this might not be as fatal as it sounds. As far as I understand it is not trivial to come up with universal exploit to gain reliable access to passwords and other sensitive data from the host running the browser. I might be wrong.

Compared to a popular web application like WordPress, I feel this is far more difficult to exploit. A web application’s scope is much more limited and attackers have higher level access that allows them to make changes to the running system, or easily access data in the database and filesystem. Attackers are opportunistic and low level attacks need resources not available to as many as app level vulnerabilities.

So while the CPU level vulnerabilities are significant, for web developers the risk simply not as relevant as application, framework or library level issues. Obviously for your server side code executed in a shared environment (JavaScript, Java, PHP or whatever) you will want to verify the environment has been updated with a fix. Work here is already done (or being done) by significant hosting providers.

If a major web property like Facebook or Google gets compromised or a universally useful exploid comes available and widespread, we'll all be royally fscked. For now developers should not panic and swiftly apply updates as they come available and advise customers to do the same: Keep your operating system and browser up to date and exercise caution when browsing and downloading content from the internet.

Please note that I am not a security expert, so this is a layman's view of what implications Meltdown and Spectre have for web applications and their developers. So keep that in mind and let me know on Hacker News post comments if you see glaring omissions or false information that needs correction.

-- Jani Tarvainen, 03/01/2018