back to article Spectre-protectors: If there's something strange in your CPU, who you gonna call?

Enhanced Spectre-protectors will soon come to the Chrome browser, as its desktop stable channel hit version 67.0.3396.62 and upgrades for Windows, Mac and Linux have started to flow. The Spectre mitigation comes in the form of enhanced site isolation, first introduced in Chrome 63, in which pages from different sites run in …

  1. AMBxx Silver badge
    Boffin

    Explain slowly please, I'm a software guy

    How can a browser have any impact upon Spectre when that's a CPU bug? Surely, if an application can reach that far down the stack there's a bigger security hole in the OS to worry about?

    Genuine question.

    1. phuzz Silver badge
      Meh

      Re: Explain slowly please, I'm a software guy

      I'm just guessing here, but I think that by splitting everything down to separate processes, it's much harder to use Spectre (or similar flaw), to grab a particular piece of data (eg your bank password), because an attacker will have no idea which process to target (or which bit of memory it's living in).

      That's just my guess from reading some of their documentation, I'm probably wrong, but hopefully by being wrong on the internet I have invoked someone else to come and well actually me.

    2. Walter Bishop Silver badge
      Terminator

      Re: Explain slowly please, I'm a software guy

      @AMBxx: "How can a browser have any impact upon Spectre when that's a CPU bug?"

      I recall reading somewhere that, in order to implement cutting edge features Chrome is given low-level access to the OS. That's why Chrome needs such security mitigations:

      The Security Architecture of the Chromium Browser

      1. AMBxx Silver badge

        Re: Explain slowly please, I'm a software guy

        The Kernel the document refers to appears to be something called a 'Browser Kernel'. As far as I can see, that doesn't give the browser access to the levels beneath the OS.

  2. RyokuMas Silver badge

    Congratulations...

    ... but until the memory hogging and privacy issues are fixed, I'm sticking to Firefox.

    1. Anonymous Coward
      Anonymous Coward

      Re: Congratulations...

      Use a Chromium based variant. One with Googles shit stripped out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Congratulations...

        Don't even get me started.... I've tried tweaking the hell out of the UI, yet it is still using the forced scaling BS.. I should be able to specify font and window size!

        I would switch to Vivaldi, but I find using Chrome Remote Desktop far too convenient!

  3. Dr U Mour

    Chromium misbehaves

    use //flags to switch off everything to do with chromecast and yet it still checks on ports 5353 and 1900 continuously

  4. Down in the weeds
    Stop

    Cease and desist destroying English

    What an awful sentence construction: "The site isolation design document explains that the Spectre mitigation sandboxes site renderer processes." I had to re-read this three times to understand whether or not there was an absent verb following 'that'. Then it dawned on me: the author is employing the foul Merkin habit of reusing a noun as a verb, in this case 'sandbox'.

    Even the Merkin online www.dictionary.com provides this:

    "noun

    1.a box or receptacle for holding sand, especially one large enough for children to play in.

    2.Computers. an environment in which software developers or editors can create and test new content, separate from other content in the project (often used attributively): "

    Please, please, please can the Editors enforce a policy of 'English(UK)' only?

    1. John Brown (no body) Silver badge

      Re: Cease and desist destroying English

      "Please, please, please can the Editors enforce a policy of 'English(UK)' only?"

      Much as that would be appreciated, one should remember that not only are significant portions of the readership not native English(UK) speakers, but that many of the articles originate from exotic locales such as The Register office in San Francisco and the antipodean Vulture South office. Also, I believe they sacked the proof-reader some years ago in the interest of keeping up with the current best practice in technology circles whereby the users or customer is the beta and bug tester.

    2. TReko

      Re: Cease and desist destroying English

      Yes, that other great English mag, The Economist has seriously relaxed its grammar recently, too.

      Still, that sentence is understandable, just hard to process.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019