Why did ESR 52 not get a Meltdown / Spectre patch like Fx57?

User Help for Mozilla Firefox
Post Reply
User avatar
c627627
Posts: 641
Joined: April 3rd, 2005, 12:58 pm
Location: Kansas City, Missouri
Contact:

Why did ESR 52 not get a Meltdown / Spectre patch like Fx57?

Post by c627627 »

Why did Fx ESR 52 not get a patch but Fx57 did?

Can you post on the way Meltdown and Spectre exploits operate, as far as getting sensitive information, specifically, if we close all web browsers and only open a single web page, banking web page for example, which we then completely close when finished, does that prevent speculative execution exploits? Does cleaner software which purges cookies etc. help/affect this exploit?
Open the pod bay doors, Cortana.
User avatar
James
Moderator
Posts: 27999
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by James »

https://www.mozilla.org/security/adviso ... sa2018-01/

Fixed in Firefox 57.0.4, SharedArrayBuffer is already disabled in Firefox 52 ESR.

https://www.mozilla.org/firefox/57.0.4/releasenotes/
User avatar
c627627
Posts: 641
Joined: April 3rd, 2005, 12:58 pm
Location: Kansas City, Missouri
Contact:

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by c627627 »

When we read the security advisory, it first states that "The precision of performance.now() has been reduced from 5μs to 20μs."
Does disabling SharedArrayBuffer make performance.now precision irrelevant?

In other words the advisory lists two things, only one of which is already disabled in Firefox 52 ESR.
Open the pod bay doors, Cortana.
Brummelchen
Posts: 4480
Joined: March 19th, 2005, 10:51 am

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by Brummelchen »

kukla
Posts: 968
Joined: December 30th, 2008, 3:59 pm

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by kukla »

Brummelchen wrote:please lock because of
http://forums.mozillazine.org/viewtopic ... &t=3037088
It might be time for you to remember once again, that you are not a moderator here. There are quite capable moderators here, who can see just what you see. There may be some duplication, but that is not the end of the world. I for one would not like to see this thread locked, your opinion notwithstanding.
User avatar
RobertJ
Moderator
Posts: 10880
Joined: October 15th, 2003, 7:40 pm
Location: Chicago IL/Oconomowoc WI

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by RobertJ »

.
kukla, you are at risk running Mac OS X 10.11 according to Apple. At this time only OS 10.13.2 has the fix.

.
FF 92.0 - TB 78.13 - Mac OSX 10.13.6
Brummelchen
Posts: 4480
Joined: March 19th, 2005, 10:51 am

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by Brummelchen »

@kukla - you got problems, really...mind your own business please.
people not using forum search dont have fortune.
kukla
Posts: 968
Joined: December 30th, 2008, 3:59 pm

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by kukla »

Brummelchen wrote:....really...mind your own business please.
Best if you take your own advice.
User avatar
RobertJ
Moderator
Posts: 10880
Joined: October 15th, 2003, 7:40 pm
Location: Chicago IL/Oconomowoc WI

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by RobertJ »

.
This is a support forum. Not a debating club.

.
FF 92.0 - TB 78.13 - Mac OSX 10.13.6
kukla
Posts: 968
Joined: December 30th, 2008, 3:59 pm

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by kukla »

RobertJ wrote:.
kukla, you are at risk running Mac OS X 10.11 according to Apple. At this time only OS 10.13.2 has the fix.

.
Thanks, but not ready to upgrade to HSierra. Think it's too buggy still. Look what happened with root password, and who knows what else lurks to be discovered there. Apple seems to be getting sloppy. I never upgrade until all, or almost all, point releases are in the bag. Would think that there will be a security update for 10.12, or even El Cap, before long, at which time I will upgrade--have 10.12.6 completely ready to go on an external--just needs cloning over to the internal.

But Spectre-Meltdown, still only PoC. Nothing reported in the wild...yet. And 52esr not supposed to be wide open.

Anyway, running NoScript, which should protect to some extent. See

https://forums.informaction.com/viewtop ... =8&t=24391
User avatar
RobertJ
Moderator
Posts: 10880
Joined: October 15th, 2003, 7:40 pm
Location: Chicago IL/Oconomowoc WI

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by RobertJ »

.
A bit off topic but running HSierra since its release and so has my wife. Solid as a rock and root password was a bug that only could be an issue with physical access to the machine and, fixed in days.

Cheers

.
FF 92.0 - TB 78.13 - Mac OSX 10.13.6
kukla
Posts: 968
Joined: December 30th, 2008, 3:59 pm

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by kukla »

As always with any new OS, YMMV. Some users like you run the first release with zero problems, others may get hit hard.
User avatar
RobertJ
Moderator
Posts: 10880
Joined: October 15th, 2003, 7:40 pm
Location: Chicago IL/Oconomowoc WI

Re: Why did ESR 52 not get a Meltdown / Spectre patch like F

Post by RobertJ »

.
Last comment on this before a mod dings me :-"

I have two SSD's on my system. After a week or so monitoring the Apple forums and other Apple focused sites for issues I install the new OS on one of them while keeping the other SSD on the old OS. If all goes well for a couple of weeks I use CCC to update the second SSD.


.
FF 92.0 - TB 78.13 - Mac OSX 10.13.6
Post Reply