There are many reports now but this is as good a place to start as any: http://www.theregister.co.uk/2018/01/04 ... nerability
I see with 57.0.4 that Mozilla are trying to mitigate the, so called, Meltdown and Spectre vulnerabilities. This Mozilla security blog with its: "Specifically, in all release channels, starting with 57" seems to imply that these mitigations will not be applied back to the current ESR.
https://blog.mozilla.org/security/2018/ ... ng-attack/
I know that there are OS patches in various states of readiness (and various states of completeness) being deployed but should a Javascript exploit arise then, as usual, the browser becomes the most exposed attack vector. It also seems that there will never be a perfect fix for existing CPUs and that making exploits more difficult will be important.
Does anyone know if an ESR mitigation is in the works?
Ben.
ESR under the spectre of a meltdown
- Benjamin Markson
- Posts: 397
- Joined: November 19th, 2011, 3:57 am
- Location: en-GB
ESR under the spectre of a meltdown
XUL is dead. Long live the Google Chrome Clones.
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: ESR under the spectre of a meltdown
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- Omega X
- Posts: 8225
- Joined: October 18th, 2007, 2:38 pm
- Location: A Parallel Dimension...
Re: ESR under the spectre of a meltdown
Its a strong possibility. ESR releases usually trail the main release. I'd say worry if you don't see it within a week.
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: ESR under the spectre of a meltdown
...or a year or so, if you're using SeaMonkey.Omega X wrote: I'd say worry if you don't see it within a week.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
-
- Posts: 4480
- Joined: March 19th, 2005, 10:51 am
Re: ESR under the spectre of a meltdown
is deactivated in firefox esrjavascript.options.shared_memory
- Frank Lion
- Posts: 21178
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Re: ESR under the spectre of a meltdown
and seamonkeyBrummelchen wrote:is deactivated in firefox esrjavascript.options.shared_memory
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
- Benjamin Markson
- Posts: 397
- Joined: November 19th, 2011, 3:57 am
- Location: en-GB
Re: ESR under the spectre of a meltdown
Thanks therube
https://mozilla.logbot.info/firefox/20180105
https://mozilla.logbot.info/security/20180105
I don't think I would ever have found those.
Someone is saying that the timing mitigation will appear in 52.6 - I'll just imagine that it's being tested in 57.0.4 before being put into the main version of Firefox.
Ben.
https://mozilla.logbot.info/firefox/20180105
https://mozilla.logbot.info/security/20180105
I don't think I would ever have found those.
Someone is saying that the timing mitigation will appear in 52.6 - I'll just imagine that it's being tested in 57.0.4 before being put into the main version of Firefox.
Ben.
XUL is dead. Long live the Google Chrome Clones.
- James
- Moderator
- Posts: 28005
- Joined: June 18th, 2003, 3:07 pm
- Location: Made in Canada
Re: ESR under the spectre of a meltdown
https://www.mozilla.org/security/adviso ... sa2018-01/
From the https://blog.mozilla.org/security/2018/ ... ng-attack/
SharedArrayBuffer is already disabled in Firefox 52 ESR.
From the https://blog.mozilla.org/security/2018/ ... ng-attack/
.Update [January 4, 2018]: We have released the two timing-related mitigations described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018