MozillaZine

ESR under the spectre of a meltdown

Discussion of general topics about Mozilla Firefox
Benjamin Markson

User avatar
 
Posts: 355
Joined: November 19th, 2011, 3:57 am
Location: en-GB

Post Posted January 5th, 2018, 3:09 am

There are many reports now but this is as good a place to start as any: http://www.theregister.co.uk/2018/01/04 ... nerability

I see with 57.0.4 that Mozilla are trying to mitigate the, so called, Meltdown and Spectre vulnerabilities. This Mozilla security blog with its: "Specifically, in all release channels, starting with 57" seems to imply that these mitigations will not be applied back to the current ESR.

https://blog.mozilla.org/security/2018/ ... ng-attack/

I know that there are OS patches in various states of readiness (and various states of completeness) being deployed but should a Javascript exploit arise then, as usual, the browser becomes the most exposed attack vector. It also seems that there will never be a perfect fix for existing CPUs and that making exploits more difficult will be important.

Does anyone know if an ESR mitigation is in the works?

Ben.
XUL is dead. Long live the Google Chrome Clones.

therube

User avatar
 
Posts: 18790
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted January 5th, 2018, 6:32 am

https://www.dslreports.com/forum/r31774853-

(It took me a second time to realize the pun.)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Omega X

User avatar
 
Posts: 8062
Joined: October 18th, 2007, 2:38 pm
Location: A Parallel Dimension...

Post Posted January 5th, 2018, 7:43 am

Its a strong possibility. ESR releases usually trail the main release. I'd say worry if you don't see it within a week.
Latest: Firefox/61.0.1 *ESR/60.1.0 - Mobile/61.0 - Thunderbird/52.9.1
Nightly: Nightly/63.0a1 - Mobile/63.0a1 - Daily/63.0a1

Frank Lion

User avatar
 
Posts: 19991
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted January 5th, 2018, 7:58 am

Omega X wrote: I'd say worry if you don't see it within a week.

...or a year or so, if you're using SeaMonkey.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Brummelchen
 
Posts: 3515
Joined: March 19th, 2005, 10:51 am

Post Posted January 5th, 2018, 7:59 am

javascript.options.shared_memory

is deactivated in firefox esr

Frank Lion

User avatar
 
Posts: 19991
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted January 5th, 2018, 8:32 am

Brummelchen wrote:
javascript.options.shared_memory

is deactivated in firefox esr

and seamonkey
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Benjamin Markson

User avatar
 
Posts: 355
Joined: November 19th, 2011, 3:57 am
Location: en-GB

Post Posted January 5th, 2018, 9:19 am

Thanks therube

https://mozilla.logbot.info/firefox/20180105
https://mozilla.logbot.info/security/20180105

I don't think I would ever have found those.

Someone is saying that the timing mitigation will appear in 52.6 - I'll just imagine that it's being tested in 57.0.4 before being put into the main version of Firefox. :D

Ben.
XUL is dead. Long live the Google Chrome Clones.

James
Moderator

User avatar
 
Posts: 27328
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted January 5th, 2018, 3:09 pm

https://www.mozilla.org/security/advisories/mfsa2018-01/
SharedArrayBuffer is already disabled in Firefox 52 ESR.



From the https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Update [January 4, 2018]: We have released the two timing-related mitigations described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018
.

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 3 guests