• Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups
    • Rules
    • Help

    Do more on the web, with a fast and secure browser!

    Download Opera browser with:

    • built-in ad blocker
    • battery saver
    • free VPN
    Download Opera

    Meltdown & Spectre the last Opera 68.0.3618.104 vulnerability

    Opera for Windows
    6
    35
    13041
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • leocg
      leocg Moderator Volunteer @Guest last edited by

      @johnd78 You posted the link to the blog post and not to the comment.

      Reply Quote 0
        andrew84 A Former User 2 Replies Last reply
      • andrew84
        andrew84 @leocg last edited by

        @leocg so read the blog post, there's an explanation. And there's 0 comments (because all the 'disqus' comments were removed)

        Reply Quote 0
          1 Reply Last reply
        • A Former User
          A Former User @leocg last edited by

          @leocg I meant the developers' blog comments on this issue. As far as I remember, when a problem with this vulnerability appeared, the developers forcedly disabled opera://flags/#shared-array-buffer flag. Now this flag is gone.

          Reply Quote 0
            leocg 1 Reply Last reply
          • A Former User
            A Former User @andrew84 last edited by A Former User

            @andrew84 Please, try enabling the flag opera://flags/#shared-array-buffer in the 58th Opera. It is interesting to look at the test result on your system.

            Reply Quote 0
              andrew84 1 Reply Last reply
            • andrew84
              andrew84 @Guest last edited by andrew84

              @johnd78 with the enabled flag I have the same random result in O58 too, depending oh how many 'caches' were processed.
              2020-05-17_194803.png

              Reply Quote 0
                A Former User 1 Reply Last reply
              • A Former User
                A Former User @andrew84 last edited by

                @andrew84 Ok, got it. Then try to disable the flag opera://flags/#enable-webassembly-threads in the 68th Opera. To pass the test, this should be enough.

                Reply Quote 0
                  andrew84 leocg 2 Replies Last reply
                • andrew84
                  andrew84 @Guest last edited by andrew84

                  @johnd78 said in Meltdown & Spectre the last Opera 68.0.3618.104 vulnerability:

                  opera://flags/#enable-webassembly-threads

                  I disabled it, but in my case the result is still random (Portable 68.0.3618.104)
                  2020-05-17_201047.png

                  Reply Quote 0
                    A Former User 1 Reply Last reply
                  • A Former User
                    A Former User @andrew84 last edited by

                    @andrew84 For me with the opera://flags/#enable-webassembly-threads flag Disabled in the 68th it turns out like with the opera://flags/#shared-array-buffer flag Disabled in the 58th.

                    Opera Снимок_2020-05-17_222159_xlab.tencent.com.png

                    Reply Quote 0
                      andrew84 1 Reply Last reply
                    • andrew84
                      andrew84 @Guest last edited by andrew84

                      @johnd78 I can't comment here, I also tried it in 69 (which is not portable) and all is the same.
                      2020-05-17_203748.png.

                      Maybe the test itself is not stable. And my processors can't be called as 'modern' like it is said in the blog post's explanation.

                      Reply Quote 0
                        donq A Former User 2 Replies Last reply
                      • donq
                        donq @andrew84 last edited by donq

                        @andrew84 said in Meltdown & Spectre the last Opera 68.0.3618.104 vulnerability:

                        Maybe the test itself is not stable. And my processors can't be called as 'modern' like it is said in the blog post's explanation.

                        The vulnerability itself is not 'stable' 🙂
                        Code in test script is a bit over my understanding, but it could be unstable either.

                        To read protected memory areas CPU cache is cleared, code is tricked to execute speculative read from protected area (which is discarded and thus not giving error - but data is already loaded into cache) and then some other memory addresses are read - read timing depends on cache containig specific data. Some information can be leaked even using somewhat random timing - I think this is exactly what you experience.

                        Reply Quote 0
                          1 Reply Last reply
                        • leocg
                          leocg Moderator Volunteer @Guest last edited by

                          @johnd78 That flag used to make sense three years ago, when the post was published.

                          Reply Quote 0
                            1 Reply Last reply
                          • leocg
                            leocg Moderator Volunteer @Guest last edited by

                            @johnd78 I have that flag enabled (by default) here and the test says that Opera i snot vulnerable.

                            Reply Quote 0
                              1 Reply Last reply
                            • A Former User
                              A Former User @andrew84 last edited by

                              @andrew84 Sorry, my mistake, I forgot something. Try to disable the flag opera://flags/#enable-webassembly-threads and start the browser with the key --disable-features=SharedArrayBuffer. Then it should work. Checked in the 68th and 69th Opera.

                              Reply Quote 2
                                anastasia-mx 1 Reply Last reply
                              • anastasia-mx
                                anastasia-mx @Guest last edited by

                                @johnd78 I used the "WebAssembly threads support" = "disabled" flag and started the program opera with the key --disable-features=SharedArrayBuffer as a result, the problem is resolved and the browser is no longer vulnerable.
                                can you explain what these parameters are and why they were enabled if this leads to a vulnerability?
                                vuln.png

                                Reply Quote 0
                                  donq 1 Reply Last reply
                                • donq
                                  donq @anastasia-mx last edited by donq

                                  @anastasia-mx said in Meltdown & Spectre the last Opera 68.0.3618.104 vulnerability:

                                  can you explain what these parameters are

                                  Read here: https://developers.google.com/web/updates/2018/10/wasm-threads

                                  and why they were enabled if this leads to a vulnerability?

                                  Most likely unintended coincidence - performance versus security, as it often is.
                                  If Chrome is not affected, then you should report a bug to Opera. If Chrome (Chromium) is affected too, then better report to Chrome (Chromium).

                                  Well, before reporting check latest developer build - it is possible that this problem is already fixed. In my just updated dev version (70.0.3693.0) two checks (2 of 2) did report "not vulnerable" 🙂

                                  Reply Quote 1
                                    A Former User 1 Reply Last reply
                                  • A Former User
                                    A Former User @donq last edited by A Former User

                                    @donq I think this Chinese test is old and may not take into account the current changes in the Chromium engine. Now it makes no sense to turn off flags and use keys only to pass this test. I also have not heard about the real use of this vulnerability in browsers, only in special tests.

                                    Reply Quote 0
                                      1 Reply Last reply
                                    • First post
                                      Last post

                                    Computer browsers

                                    • Opera for Windows
                                    • Opera for Mac
                                    • Opera for Linux
                                    • Opera beta version
                                    • Opera USB

                                    Mobile browsers

                                    • Opera for Android
                                    • Opera Mini
                                    • Opera Touch
                                    • Opera for basic phones

                                    • Add-ons
                                    • Opera account
                                    • Wallpapers
                                    • Opera Ads

                                    • Help & support
                                    • Opera blogs
                                    • Opera forums
                                    • Dev.Opera

                                    • Security
                                    • Privacy
                                    • Cookies Policy
                                    • EULA
                                    • Terms of Service

                                    • About Opera
                                    • Press info
                                    • Jobs
                                    • Investors
                                    • Become a partner
                                    • Contact us

                                    Follow Opera

                                    • Opera - Facebook
                                    • Opera - Twitter
                                    • Opera - YouTube
                                    • Opera - LinkedIn
                                    • Opera - Instagram

                                    © Opera Software 1995-