SPECTRE – WindowsTechs.com

How meaningful are SPECTRE mitigations on single user desktops and workstations if the installed software is trusted?

Posted on November 3, 2024 by vfclists

What prompts this question is why some Spectre mitigations are considered meaningful on single user workstations or desktops.
When a piece of software is trusted by the admin or a user to run on a single user system, what is the purpose of… Continue reading How meaningful are SPECTRE mitigations on single user desktops and workstations if the installed software is trusted?→

Spectre Mitigations Output for sucessful patch

Posted on September 27, 2024 by mbrain

I got the results of an internal pentest at my company and the job to fix it. The paper they gave me looked like the output i got from microsofts speculativecontrol powershell script from https://github.com/microsoft/SpeculationControl
Spe… Continue reading Spectre Mitigations Output for sucessful patch→

How can a timing/cache side-channel attack be performed? How can attack know the time of which certain instructions are performed by the victim?

Posted on July 9, 2024 by AllExJ

About timing my question is:
How can attack know the time of which certain instructions are performed by the victim?
And about the cache, how can attacker know which cache line is being accessed by the victim? Is this doable in "norma… Continue reading How can a timing/cache side-channel attack be performed? How can attack know the time of which certain instructions are performed by the victim?→

What does COEP do that CSP doesn’t already do?

Posted on November 4, 2022 by Flying Penguin

Both Cross-Origin-Embedder-Policy and Content-Security-Policy seem to do pretty similar things: they restrict the document from loading certain types of subresources (e.g. cross-origin subresources). Why is COEP necessary when we already h… Continue reading What does COEP do that CSP doesn’t already do?→

Are Haswell CPUs still secure? Do they still get microcode updates?

Posted on July 20, 2022 by schaman

I have a Dell laptop with a Haswell CPU, and the recent Retbleed vulnerabilities made me think how vulnerable it is in general. The whitepaper implies Haswell quite a lot, but it wasn’t tested. I keep my microcode package up-to-date, but i… Continue reading Are Haswell CPUs still secure? Do they still get microcode updates?→

This Week in Security: Retbleed, Post-Quantum, Python-atomicwrites, and the Mysterious Cuteboi

Posted on July 15, 2022 by Jonathan Bennett

Yet another entry in the “why we can’t have nice things” category, Retbleed was announced this week, as yet another speculative execution vulnerability. This one is mitigated in hardware for …read more Continue reading This Week in Security: Retbleed, Post-Quantum, Python-atomicwrites, and the Mysterious Cuteboi→

COOP and COEP: Is there an advantage to enabling COOP / COEP if I don’t need to use the sharedArrayBuffer or other features?

Posted on December 21, 2021 by gaurav5430

COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the sharedArrayBuffer and some other precis… Continue reading COOP and COEP: Is there an advantage to enabling COOP / COEP if I don’t need to use the sharedArrayBuffer or other features?→

How to select a CPU to buy for the best security?

Posted on November 29, 2021 by Teekin

Various versions of Spectre, Meltdown, Foreshadow and ZombieLoad make it quite the jungle trip to navigate which CPUs are affected, how to mitigate them.
Right now, my problem is that I need a new computer but I want to make sure that I bu… Continue reading How to select a CPU to buy for the best security?→

Are CPU side-channel attacks still a concern on VPSs

Posted on October 14, 2021 by Letal1s

I’ve been looking into getting a VPS to run an OpenVPN server on and a few other things. I’ve been speaking to a hosting company and they have sent me this screenshot to show they are protected against all currently known exploits on their… Continue reading Are CPU side-channel attacks still a concern on VPSs→

Does enabling SharedArrayBuffers via service worker headers create Spectre vulnerability?

Posted on October 7, 2021 by ultraGentle

In browsers, use of SharedArrayBuffer is restricted to sites with the following HTTP headers because otherwise it exposes vulnerabilities to Spectre and Meltdown.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-… Continue reading Does enabling SharedArrayBuffers via service worker headers create Spectre vulnerability?→