Thanks for the heads up @Edwin, I just did it now.
For others wanting to do it:
Increase security with site isolation - Google Chrome Help
- On your computer, open Chrome.
- In the address bar at the top, enter chrome://flags/#enable-site-per-process and press Enter.
- Next to "Strict site isolation," click Enable.
- If you don't see "Strict site isolation," update Chrome.
- Click Relaunch now.
Which basically screams that part of the problem underlying this bug is hyperthreading.
^^^^this
Be advised that this can cause issues in other ways - it is basically a browser-levle implementation of Cross-Site scripting blocking, similar to what the venerable Firefox Addon NoScript does, but with brute-force.
You can also enable it on a per-site basis, or, alternately, enable it for the browser and disable it for particular sites, but you'll have to play around and see how it affects you.
Also, from Site Isolation - The Chromium Projects
Also, they suggest the following:Known Issues
Support for Site Isolation is still in progress, and there are a set of known issues when turning it on in its current form. The current known issues described below affect the sites that are isolated, which may include all sites or just certain sites (as explained in "How to Configure" below). Some users or enterprises may find the security benefits worth the current tradeoff.
For users:
Higher memory use (about 10-20% when isolating all sites with many tabs open).
This overhead can be greatly reduced by only isolating certain sites, as noted below.
When printing a page, cross-site iframes appear blank.
To print the complete web page content, save the page locally, then open and print the saved file.
In some cases, clicking or scrolling on cross-site iframes may not work properly.
For example, this can happen when there is a partly transparent overlay above an iframe.
When using the "Isolating certain sites" approach below, some login popups (i.e., certain OAuth cases) may encounter problems.
(This is fixed in the upcoming Chrome 63.0.3239.132 version, and does not affect the "Isolating all sites" approach.)
For web developers:
Chrome's Developer Tools do not yet fully support cross-site iframes.
For example:
Network requests from cross-site iframes are not displayed in DevTools. (This is fixed in Chrome 64.)
Cookies are not displayed for cross-site subresource requests.
The window.performance API is not yet supported in cross-site iframes.
Website testing frameworks such as ChromeDriver don't yet support cross-site iframes.
We are working to resolve these issues so that Site Isolation can be enabled more broadly.
Disabling
If you encounter problems when Site Isolation is enabled, you can try turning it off by undoing the steps above, to see if the problem goes away.
Note that some issues may be resolved by turning off just the document blocking feature, which leaves some of the protections from process isolation in place. To try this, start Chrome with the following command line flag:
--disable-features=CrossSiteDocumentBlockingIfIsolating
We encourage you to file bugs if you do encounter problems when using Site Isolation by visiting https://new.crbug.com, describing the problem, and mentioning that you are using Site Isolation.
Well, this is interesting:
Google develops protection against Spectre attack that has hardly any impact on performance - Myce.com
Google has developed a method called ‘Retpoline’ that should protect computers against the Spectre attack and similar ‘branch target injection’ attacks. Despite earlier reports that fixes for the issue would have a negative impact on performance, Google claims its solution hardly slows down systems.Visiting the link above there is a link to the actual Google Help page post about 'Retpolie': Retpoline: a software construct for preventing branch-target-injection - Google HelpWith Google’s Retpoline method some instructions are isolated from the CPUs branch prediction feature. That should prevent the Spectre attack and similar attacks. The search giant has deployed the Retpoline code on its own system and states it has hardly any impact on performance.
And it seems that Google Engineers are not without humor:Executive Summary
“Retpoline” sequences are a software construct which allow indirect branches to be isolated from speculative execution. This may be applied to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches.
Then, there is this paragraph, which affirms that this is a newly discovered exploit:The name “retpoline” is a portmanteau of “return” and “trampoline.” It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will “bounce” endlessly.
(If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.)
And, finally, there is this little tidbit that basically confirms why there is no microcode solution to this problem:The strategies used to make this prediction vary between hardware implementations, they are commonly not isolated between security domains to reduce complexity and improve performance. While this has been previously exploited by probing the state of these predictors to infer the layout of another domain1, there were not previously known observable data side-effects.
If you think about it, that not only clearly says that the problem lies in the software, but also bolsters Intel's claims that this is not an Intel-only problem. What this says to me is that "Look, the issue that can be exploited is able to be exploited because of the way that the software is written to make use of the hardware's capabilities." And while this may very well be true, it is also going to be one of the focal points for any lawsuits that anyone tries to bring again Intel / all chip manufacturers - it's not the hardware's fault that the software was written in a way that such and exploit was created.Unfortunately, it is not practical or reasonable to avoid indirect branches in the construction of this software. This means that we need an efficient method of constructing an indirect branch that is not subject to external manipulation in its retirement.
I only see a mess in this... no one clearly knows what is going on, that's for sure. They were quick to give names, speculation and even trying to make people sue hardware vendors...
This looks so fishy still...
Hi,
Hmmm... It's a bit of a chicken/egg thing, isn't it ? CPU is offering the option, software coders using it. Who's to blame who ?And while this may very well be true, it is also going to be one of the focal points for any lawsuits that anyone tries to bring again Intel / all chip manufacturers - it's not the hardware's fault that the software was written in a way that such and exploit was created.
Thing is, if it were to be so easy to exploit would it then not have been exploited a long, long time ago ?
Google's Retpoline sounds like a medicin to me. Quite funny naming.
Cheers,
Quick? They started exploring the possibility of an exploit over a year and a half ago. It was reveled to Intel back in June - 7 months ago.
I don't see anything quick here. Except the modern 'media' hype.
Not necessarily. Google's coding fix show how figure could easily have been coded from the beginning to avoid the exploit. But in the interest of performance, software was coded to not clear the fill in the ghost thread, which is why this exploit exists.Hi,
Hmmm... It's a bit of a chicken/egg thing, isn't it ? CPU is offering the option, software coders using it. Who's to blame who ?
Thing is, if it were to be so easy to exploit would it then not have been exploited a long, long time ago ?
Google's Retpoline sounds like a medicin to me. Quite funny naming.
Cheers,
Hi,
I'm aware of that John (if I may call you so). But let's not forget it's a speculative exploit and that kind needs computing power to "guess" correctly.But in the interest of performance, software was coded to not clear the fill in the ghost thread, which is why this exploit exists
Still, I agree that this should be fixed. And... if it can be done without impacting performance too much then I'm all for it for sure.
Best,
I have been watching a lot of video's on this new problem and I'm not particularly worried. The companies that will be hit the most will be Intel and Microsoft for one good reason. They own the market share and have for a long time. Those two companies have more operating systems and CPU's out in the world than the rest put together.
Looking at the stock market tells a story. AMD stock went way up.
I do wonder you release the problem to the News before the updates were available.
I won't be changing to another brand CPU. I have complete trust that Intel will solve the problem as soon as possible, with the loss of speed as low as possible. If I loose 5 % no big deal; my systems will still be super fast. If need be I will just over clock them a bit more.
As you all can tell, I'm a Intel fan person. I have used Intel for a lot of years but I started off being a AMD person.
When I learned more I move to Intel because of a Intel Dealer here in town. I tried Intel for CPU's and SSD's and I will stick with them.
I believe this Flash News about this problem is way over hyped. Saying that I do want the problem fixed as smoothly as possible, now that all the hackers in the world know where to point their hacks.
We will just get in about a week or so of a new security problem and the fix, just like we have been getting for as long as I can remember.
The hackers are always trying new ways of screwing things up. That is what they get paid for.
When we get security patches in Windows you will notice Microsoft never states exactly how the security problem is fixed.
They really don't want the bad guys to know any more information.
Just my thoughts.
Jack
Quote