Mozilla Firefox 57.0.4 released
Mozilla released Firefox 57.0.4 to the Stable browser channel on January 4, 2018. The new version of Firefox comes with two timing-based mitigations designed to protect Firefox users against Meltdown and Spectre attacks.
We talked about these vulnerabilities before here on Ghacks. I suggest you check out the initial article on Microsoft releasing updates for Windows to address the issues for an overview.
Only this much: what was thought to be an Intel-specific vulnerability at first turned out to be more widespread than that. Intel, AMD and ARM processors are affected, and so are operating systems such as Windows or Linux, and even individual programs such as web browsers.
Tip: find out if your Windows PC is affected.
Mozilla software engineer Luke Wagner published an article on the official Mozilla blog on January 3, 2018 in which he describes Mozilla's reaction to the vulnerability.
The important part of the article is that Mozilla found a way to mitigate the issue. He describes that attacks that exploit the issue rely on precise timing, and that Mozilla decided to disable or reduce the precision of several time sources in the Firefox web browser.
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.
The security advisory provides additional detail on the changes:
The precision of performance.now() has been reduced from 5Î¼s to 20Î¼s, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
Mozilla notes that SharedArrayBuffer is disabled on Firefox 52 ESR already.
Investigation continues to better understand the threats. The organization hopes that experiments will reveal techniques to improve the protection against the threats in the long run. This may even result in Mozilla undoing the timing changes in Firefox.
Firefox 57.0.4 is already distributed through the browser's automatic update functionality. You can run a manual check for updates with a click on Menu > Help > About Firefox.
Firefox 57.0.4 is also available as a download on the official Mozilla website for all supported operating systems. You can download the installer from the website to install Firefox anew or update an existing release version of the Firefox browser instead.
Nice. I like the prompt reaction from Mozilla. Is Google really going to wait another two weeks before releasing their fix for Chrome?
Yes, Chrome patch is announced for January 23. Meanwhile, Pale Moon stated that it’s not even vulnerable, and Basilisk has been updated.
If you are using Chrome you really won’t mind waiting another 2 weeks.
Why would you even care if someone besides Google is stealing your data?
If you are using Chrome you already gave up all your Data and Passwords.
Nothing left to steal here. Bye bye privacy, see you in next life.
There are much shadier actors out there than Google. I would rather give my data to Google than to an oppressive government, or to hackers, scammers, phishers etc. Sometimes I think I’d rather give my data to the NSA than to some people in my government or to some people that I know. Having said that, there is no evidence about Chrome spying on you (and it’s the most popular browser out there, someone would find out), and Google only knows my Google password and my Wi-Fi password, but I’m sure they have faster internet than mine. If you don’t sync your data with Google and uncheck some settings, Chrome isn’t that bad. They can track you through analytics cookies on websites, but that goes for any browser.
(While I’m already here – comments look way better now, Martin!)
(Another edit: Ubuntu just updated Firefox, usually we have to wait a few days.)
You made a valid point, and one that I always wondered about…
I mean, if you don’t use sync (I never do, in any browser) and uncheck some options, does Google still spy on you through Chrome? My cynycal side says that yes, especially because there’s probably a “unique ID” to each Chrome installation. They also can associate your Chrome installation to the Google account you usually sign in on Chrome (not the sync).
Also, I don’t think that Google go as far as “stealing all your passwords”, but they do have a great interest in your browsing habits, that’s for sure.
With that said, I switched to Firefox since 57 because it’s really great now, and it actually seems to handle multiple tabs far better than Chrome (the painting when you click on one of them is instantly, whereas on Chrome there’s a slight delay sometimes).
Firefox uses uniqueids.
“This feature also sends Potentially Personal Information to Mozilla in the form of your IP address and a cookie that contains a unique numeric value to distinguish individual Firefox installs.”
“There are much shadier actors out there than Google”
True, there are, but that doesn’t take away from the fact that Google is a very shady actor too. Trusting Google is, in my opinion, misguided.
My cynical side would also say “yes” (hey, I’m sure they would if they could – can they?) although rationally Chrome should simply be Google’s free browser that delivers you the smoothest Google experience (YouTube, Gmail, showing ads etc). That said, according to Wikipedia they register when you install it (I don’t think that’s a big secret), then there’s the opt-in ClientID – “Unique identifier along with user preferences, logs of usage metrics and crashes.” – and text typed into the address bar (I assume if using Google as a search engine).
Then there’s Google Update (“Information about how often Chrome is used, details about the OS and Chrome version.”) which comes with Windows and Mac version, but not with the Linux version that I’m using – back when I was using a really old Windows PC and dial-up, that thing would never shut up, to the point of breaking my connection, and there was no simple way to disable it.
To the other John – of course, I’m not trying to justify Google. Simply stating that Google is, for a lot of people, the lesser evil. Even Facebook and Twitter – which are complained about very often – are safer for some people than where they live, I remember reading that most of the Tor traffic goes towards Facebook. So, I suppose, trust Google, but not too much.
@MdN – “(hey, I’m sure they would if they could â€“ can they?)” Google . com, Doubleclick . net, Googlge-Anayltics . com Cookies and others are unblockable in Google Chrome AND Google Opera.
i don’t know if Google Opera still does this because i don’t install those Spywares on my machines anymore, only Windows XP i did, and both the last releases on Windows XP did that. On both browsers i went to Cookie Exceptions and Blocked them and what do you know, the cookies would still show up, even when i cleared all cookies, restarted the browser and the browser would launch into a blank tab the cookies would magically appear, even though they were BLOCKED. i tested this on someone else’s laptop and Chrome version 60’ish install and it still did it.
Firefox honors my cookie exceptions…..
Google also wrote a check to Opera so that they would make Google Opera Presto 12.15 ALWAYS change the default search engine to Google every time the user would restart the browser, EVERY TIME. Opera was basically abandoning Opera Presto and wanted another Google check, but Opera and the Opera super fans wanted people to believe that it was a glitch, but the glitch happened right when they were basically abandoning Presto? And never fixed it. Coincidence? Nah, it was a Google check.
So Google is deep in Opera’s pockets and should people trust Opera now that it’s owned by a Chinese company ?
Fennec (Android) has become so slow and sluggish it’s practically unusable.
No update for Firefox ESR 52.5.3 I notice. I guess Mozilla doesn’t care much about the ESR version anymore.
Waterfox has the fix (and will continue supporting your legacy add-ons).
Martin had already stated above that:
“Mozilla notes that SharedArrayBuffer is disabled on Firefox 52 ESR already.”
A subtle correction to this: “what was thought to be an Intel-specific vulnerability at first turned out to be more widespread than that.”
This is something that people everywhere are getting confused about. We’re talking about two different vulnerabilities here. The first one that was reported (meltdown) is specific to Intel devices, and outside of a couple of outliers, isn’t more widespread than that.
Shortly after it was discovered, a second vulnerability (spectre) was discovered. It is quite widespread, affecting most modern processors, Intel or not.
The distinction is important because the level of vulnerability is quite different. Meltdown is easy to exploit and so poses the larger risk. Spectre is difficult to exploit and so poses the lesser risk (although it’s also very difficult for operating systems to protect against…)
Why not put this in the Firefox 57 release overview post?
I do this normally for minor releases but this one is important enough to have its own article. It reaches a wider audience this way.
How to enable SharedArrayBuffer on Firefox 52 ESR ?
Once again a firefox post has devolved into a chrome one.
Anyway my view of ff57 is a very positive one and it runs better than “cough” chrome,”cough”,
Good work mozilla,firefox is a great browser again.
ff 57 not compatibile with more extenssion, this is bad