After the discovery of the Meltdown and Spectre processor flaws, Microsoft Edge and Internet Explorer 11 will act a little differently, even if it’s not obvious to users. As part of Microsoft’s response to the CPU vulnerabilities that have put much of the IT industry on edge, the software maker is changing how its web browsers process web applications and sites.
On vulnerable systems, Meltdown and Spectre increase the risk of side-channel attacks triggered by malicious web content, potentially allowing attackers to access private information outside the scope of a given website. One way that Microsoft is mitigating this risk is by removing support for the SharedArrayBuffer JavaScript optimization that was introduced in the Windows 10 Fall Creators Update. SharedArrayBuffer may return after the company is confident that it can’t be used to stage an attack, according to Microsoft Principal Lead Program Manager John Hazen.
Another step the company took involved “reducing the resolution of performance.now() in Microsoft Edge and Internet Explorer from 5 microseconds to 20 microseconds, with variable jitter of up to an additional 20 microseconds,” wrote Hazen in a blog post. As its name suggests, the performance.now() method is used to gauge the responsiveness in web applications by precisely measuring time intervals, a requirement of a successful Meltdown and Spectre attack.
“These two changes substantially increase the difficulty of successfully inferring the content of the CPU cache from a browser process,” concluded Hazen.
Other browser vendors are also working to eliminate the threat posed by Meltdown and Spectre.
Chrome 64, due on Jan. 23, will “contain mitigations to protect against exploitation,” stated Google in an advisory related to the CPU bugs. In the interim, users can enable the browser’s Site Isolation feature, which isolates websites into separate address spaces. The downside is that Site Isolation can drive up memory utilization by 10 to 20 percent, cautions Google.
Mozilla, maker of the Firefox browser, is taking a similar approach to Microsoft and addressing the threat by lowering the resolution of performance.now() and disabling SharedArrayBuffer by default. “In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers,” blogged Mozilla software engineer Luke Wagner.
Problem Patches Paused
Meanwhile, Microsoft is dealing with the aftermath of Meltdown and Spectre patches that produced errors that disabled AMD PCs for some users.
After investigating the problematic patches, the company decided on Jan. 8 to temporarily block the delivery of several Windows updates to PCs running on select AMD processors. A total of nine updates are affected, according to this online support document.
Finally, Microsoft is weighing in on the performance impact that its patches can have on Windows PCs and servers.
In a Jan. 9 blog post, Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, warned of “more significant slowdowns” on Windows 10 PCs running on fourth-generation “Haswell” Intel Core processors relative to newer systems. Windows 7 and 8 users can expect a noticeable decrease in performance, Myerson added. He also warned Windows Server administrators of “a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance.”