ESR under the spectre of a meltdown

Benjamin Markson · Post by **Benjamin Markson** » January 5th, 2018, 3:09 am

There are many reports now but this is as good a place to start as any: http://www.theregister.co.uk/2018/01/04 ... nerability

I see with 57.0.4 that Mozilla are trying to mitigate the, so called, Meltdown and Spectre vulnerabilities. This Mozilla security blog with its: "Specifically, in all release channels, starting with 57" seems to imply that these mitigations will not be applied back to the current ESR.

https://blog.mozilla.org/security/2018/ ... ng-attack/

I know that there are OS patches in various states of readiness (and various states of completeness) being deployed but should a Javascript exploit arise then, as usual, the browser becomes the most exposed attack vector. It also seems that there will never be a perfect fix for existing CPUs and that making exploits more difficult will be important.

Does anyone know if an ESR mitigation is in the works?

Ben.

therube · Post by **therube** » January 5th, 2018, 6:32 am

https://www.dslreports.com/forum/r31774853-

(It took me a second time to realize the pun.)

Omega X · Post by **Omega X** » January 5th, 2018, 7:43 am

Its a strong possibility. ESR releases usually trail the main release. I'd say worry if you don't see it within a week.

Frank Lion · Post by **Frank Lion** » January 5th, 2018, 7:58 am

Omega X wrote: I'd say worry if you don't see it within a week.

...or a year or so, if you're using SeaMonkey.

Brummelchen · Post by **Brummelchen** » January 5th, 2018, 7:59 am

javascript.options.shared_memory

is deactivated in firefox esr

Frank Lion · Post by **Frank Lion** » January 5th, 2018, 8:32 am

Brummelchen wrote:
javascript.options.shared_memory
is deactivated in firefox esr

and seamonkey

Benjamin Markson · Post by **Benjamin Markson** » January 5th, 2018, 9:19 am

Thanks therube

https://mozilla.logbot.info/firefox/20180105
https://mozilla.logbot.info/security/20180105

I don't think I would ever have found those.

Someone is saying that the timing mitigation will appear in 52.6 - I'll just imagine that it's being tested in 57.0.4 before being put into the main version of Firefox.

Ben.

Post by **James** » January 5th, 2018, 3:09 pm

https://www.mozilla.org/security/adviso ... sa2018-01/

SharedArrayBuffer is already disabled in Firefox 52 ESR.

From the https://blog.mozilla.org/security/2018/ ... ng-attack/

Update [January 4, 2018]: We have released the two timing-related mitigations described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018

.

ESR under the spectre of a meltdown

ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown

Re: ESR under the spectre of a meltdown