Mozilla released Firefox 57.0.4 to the Stable browser channel on January 4, 2018. The new version of Firefox comes with two timing-based mitigations designed to protect Firefox users against Meltdown and Spectre attacks.
We talked about these vulnerabilities before here on Ghacks. I suggest you check out the initial article on Microsoft releasing updates for Windows to address the issues for an overview.
Only this much: what was thought to be an Intel-specific vulnerability at first turned out to be more widespread than that. Intel, AMD and ARM processors are affected, and so are operating systems such as Windows or Linux, and even individual programs such as web browsers.
Mozilla software engineer Luke Wagner published an article on the official Mozilla blog on January 3, 2018 in which he describes Mozilla's reaction to the vulnerability.
The important part of the article is that Mozilla found a way to mitigate the issue. He describes that attacks that exploit the issue rely on precise timing, and that Mozilla decided to disable or reduce the precision of several time sources in the Firefox web browser.
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.
The security advisory provides additional detail on the changes:
The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
Mozilla notes that SharedArrayBuffer is disabled on Firefox 52 ESR already.
Investigation continues to better understand the threats. The organization hopes that experiments will reveal techniques to improve the protection against the threats in the long run. This may even result in Mozilla undoing the timing changes in Firefox.
Firefox 57.0.4 is already distributed through the browser's automatic update functionality. You can run a manual check for updates with a click on Menu > Help > About Firefox.
Firefox 57.0.4 is also available as a download on the official Mozilla website for all supported operating systems. You can download the installer from the website to install Firefox anew or update an existing release version of the Firefox browser instead.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.