In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.

The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.

Last week, researchers published a bitflipping method that relies on JavaScript code used by standard browsers. Rowhammer.js, as the new proof-of-concept attack has been dubbed, is slow, and so far it only works on a Lenovo x230 Ivy Bridge Laptop running default settings and on a Haswell CPU if its refresh interval is increased as gamers sometimes do to increase system performance. And even then, the researchers were unable to use the attack to gain root access. Despite the limitations, however, the modified attack does what has never been done before—achieving a bitflipping attack using nothing more than the JavaScript allowed by every modern browser.

"A remote attacker can hide the attack script in a website and attack any visitor," Daniel Gruss, one of the authors of last week's research paper, wrote in an e-mail. "Thus, it is not a targeted attack on a single machine anymore but an attack on millions of systems simultaneously."

The attack works by rapidly and simultaneously accessing—or "hammering"—two rows of "aggressor" memory cells of vulnerable DRAM DIMMs. When performed correctly, the Rowhammer technique will cause a "victim" region in between the two aggressor locations to flip its bits. A key challenge in getting JavaScript to flip bits was finding a suitable replacement for the clflush instruction, which Google developers recently disabled in the company's Chrome browser. Clflush proved instrumental in rapidly accessing the memory cells of DDR3 DIMMs. In its absence, the latest team of researchers devised an eviction strategy that triggers bitflips on the Lenovo x230 laptop using the Ivy Bridge or modified Haswell CPUs.

Although the researchers still haven't achieved a root exploit, their JavaScript-based bitflipping generally performs on par with the bitflipping from native code. Gruss wrote:

We found that JavaScript performance for our test program is close to our native g++ -O3 compiled code. Thus we were able to perform the same bitflips as in native code in JavaScript, again using our eviction algorithm. Finally, we exploited the fact that on our Linux systems Firefox allocates 2MB pages for large typed JavaScript arrays and generates the eviction set through a timing attack. This allows us to perform the attack completely in the Browser without any external help. What's missing: Currently we are performing the fault attack and cause bitflips—we have not yet implemented a root exploit based on this.

David Kanter, senior editor of the Microprocessor Report, told Ars that some DRAM makers responded to the original Rowhammer research by doubling the refresh rate of vulnerable memory chips. The new research suggests that to truly fix vulnerable memory DIMMs, the rate may have to be increased eight fold. A change of that magnitude probably isn't practical, Kanter said, and besides, most end users avoid hardware updates.

The takeaway is that browser-enabled bitflipping attacks aren't yet practical, but they may become a viable threat to some percentage of users in the coming years, at least under certain circumstances.