James Steidl - Fotolia

WebAssembly updates may cancel out Meltdown and Spectre fixes

News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more.

Impending WebAssembly updates may render mitigations for the Meltdown and Spectre vulnerabilities ineffective.

According to John Bergbom, Forcepoint Security Labs' senior security researcher, once the WebAssembly updates go through the mitigations for Meltdown and Spectre that were put in place by web browsers will no longer work.

The WebAssembly, or Wasm, standard was released in March 2017 and is a compact binary language meant to improve the speed of delivery and performance of JavaScript code. Currently, all major browsers -- including Chrome, Edge, Firefox and Safari -- support WebAssembly. One of the benefits of WebAssembly is that programs written in languages such as C and C++ can be compiled into it and run inside the browser.

An unintended consequence of WebAssembly is that there are some potential abuses of the standard. One of these, according to Forcepoint, is the exploitation of hardware bugs, including the CPU vulnerabilities Meltdown and Spectre, which were discovered in January 2018.

"This family of CPU vulnerabilities was mitigated in browsers by lowering the precision of timers in JavaScript," Bergbom explained in a blog post. "However, once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap) very accurate timers can be created. That may render browser mitigations of certain CPU side channel attacks non-working."

Meltdown and Spectre have been wreaking havoc on processors from Intel, AMD and ARM since early this year. Both exploit vulnerabilities in CPUs to steal sensitive data stored in memory. After these vulnerabilities were disclosed, most major vendors released patches.

Researchers previously proved that attackers could exploit Meltdown and Spectre remotely using JavaScript code that runs in browsers. In response, the major browsers released updates that affected the accuracy of the attack codes. The WebAssembly updates will effectively negate those browser mitigations.

"Like with many new technologies there are potential security issues which need to be considered," Bergbom wrote. "Collectively, these present new opportunities for malicious actors. Much as with JavaScript, the possibilities with [WebAssembly] are -- if not quite endless -- very broad."

In other news

  • U.S. cybersecurity company FireEye has denied claims that it hacked a Chinese nation-state cyberespionage group. The claims about FireEye spread over social media last week after a book by The New York Times national security journalist, David Sanger, was published. In the book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, Sanger said that FireEye's 2013 report "APT1, Exposing One of China's Cyber Espionage Units" was so detailed about the activities of Chinese hackers because FireEye, then Mandiant, obtained the information through hacking back -- which is illegal in the U.S. FireEye has since released a statement denying any hacking back efforts. "Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts," FireEye wrote. "To state this unequivocally, Mandiant did not employ 'hack back' techniques as part of our investigation of APT1, does not 'hack back' in our incident response practice, and does not endorse the practice of 'hacking back.'"
  • Reality Winner, the former National Security Agency contractor who admitted to leaking classified information as part of a plea deal this week, was previously a linguist with the Air Force and, while working as an NSA contractor, shared a classified report about alleged Russian interference in the 2016 U.S. election with the news outlet The Intercept. Winner, now 26 years old, was arrested in June 2017 and has been in jail since. The plea agreement she reached with federal prosecutors will give her 63 months in prison in exchange for her pleading guilty to one felony count under the Espionage Act. "All of my actions I did willfully, meaning I did so of my own free will," Winner said in court this week, according to The New York Times. After Winner sent the classified documents to The Intercept, the news outlet published the report, which described two cyberattacks by the Russian government on U.S. elections.
  • Sophos SafeGuard security software is vulnerable to seven privilege escalation flaws. SafeGuard Enterprise Client, SafeGuard Easy and SafeGuard LAN Crypt client are all vulnerable to a flaw disclosed by security researcher Kyriakos Economou from Nettitude, a cybersecurity company headquartered in New York City. "Exploitation of those vulnerabilities requires running malicious code on the target machine and can result in privilege escalation," the alert from Sophos said, noting that the vulnerability is at least not remotely exploitable. Some of the flaw could also enable an attacker to create an input/output control and modify token privileges. Then the attacker could run commands with system privileges on any computer running Windows and Sophos SafeGuard. Economou first discovered the vulnerabilities in December 2017, notified Sophos in January 2018, and the fix was complete in April.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing