WebAssembly upgrades may make Spectre and Meltdown patches useless

WebAssembly is a web standard used by virtually all popular browsers, including Chrome, Edge, Firefox, and Safari. The technology is basically a compact binary language, your browser converts it into machine code and runs it directly on the CPU. WebAssembly has been a major success, it enables a big speedup in JavaScript execution and lets developers port code from other high-level languages.

However, WebAssembly is not immune to abuse. BleepingComputer reports the recent rise of in-browser cryptocurrency miners relied on the technology, and now there's a warning from Forcepoint researcher John Bergbom that upcoming improvements to WebAssembly could have unintended consequences. In short, these new features could render some of the Spectre and Meltdown mitigation patches useless:

"Once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate [JavaScript] timers can be created," Bergbom says, "that may render browser mitigations of certain CPU side channel attacks non-working."

In this statement, Bergbom is more accurately referring to "timing attacks," which are a class of side-channel attacks.

Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms.

A WebAssembly developed told BleepingComputer that they're aware of this issue. At the moment, the rollout of this new feature has been put on hold, but no consensus has been reached on how to proceed.