Row Hammer bug that affects memory chips can now be exploited via JavaScript, unpatachable at software-level

Jul 29, 2015 11:42 GMT  ·  By

In March, security researchers have published a report detailing a problem with some memory chips which can be exploited to give attackers access to any computer using the latest DDR3 DRAM chips.

The exploit was named Row Hammer (also spelled Rowhammer) and works by constantly hammering a row of memory cells until they create an electromagnetic interference for the adjacent rows, causing them to lose data and alter normal operation.

While the original research showed how this type of attack was only possible from the local machine, which implied that the computer needed to be infected first, a new research by Daniel Gruss, Clémentine Maurice, and Stefan Mangard from universities in France and Austria, show how Row Hammer can be actively exploited via JavaScript (as Slate reports).

This means an attacker can simply put his exploit code in a JavaScript file and wait for random users to access a Web page and download the file.

Row Hammer can be launched from any website

The three researchers used Rowhammer.js to test out their theory and observed that the "attack runs in [a] sandboxed JavaScript which is present and enabled by default in every modern browser."

"Although implemented in JavaScript, the attack technique is independent of the specific CPU microarchitecture, programming language and runtime environment, as long as the stream of memory accesses is executed fast enough," security researchers conclude.

As with the original Row Hammer bug, the JavaScript-version of this exploit is unpatchable at a software level, and a general BIOS update would be needed to fix it.

Researchers did say that slowing down the speed at which JavaScript is being executed in the browser could diminish the memory cell row hammering effect, but this recommendation will never be heeded by any browser manufacturer, all being obsessed with their JS runtime benchmarks and trying to out-do their competition.

As the three researchers also point out, "Rowhammer.js is the first remote software-induced hardware-fault attack" which would make it a real problem if the Row Hammer bug wouldn't be so hard to implement and control.