Mozilla today released a new version of their Firefox browser. It offers extra protection against the serious security issues recently found in Intel CPUs. The updated release has a workaround for Meltdown and Spectre vulnerabilities.
If you are not aware about the Meltdown and Spectre vulnerabilities, we have covered them in detail in these two articles:
- Microsoft is rolling out emergency fix for Meltdown and Spectre CPU flaws
- Here are Windows 7 and 8.1 fixes for Meltdown and Spectre CPU flaws
In short, both Meltdown and Spectre vulnerabilities allow a process to read the private data of any other process, even from outside a virtual machine. This is possible due to Intel's implementation of how their CPUs prefetch data. This cannot be fixed by patching the OS only. The fix involves updating the OS kernel, as well as a CPU microcode update and possibly even a UEFI/BIOS/firmware update for some devices, to fully mitigate the exploits.
The official announcement claims that both attacks rely on precise timing, so disabling or reducing the precision of several time sources in Firefox helps.
The announcement says:
The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.
Specifically, in all release channels, starting with Firefox 57:
The resolution of performance.now() will be reduced to 20µs.
The SharedArrayBuffer feature is being disabled by default.
The updated version of the Firefox browser is now available for download for all supported operating systems and via the automatic update system on Windows. If you are a Firefox user, ensure that you have installed the latest version of the app, or the Mozilla Maintenance Service is installed and running, so it will update automatically.
Microsoft Edge, Internet Explorer and Google Chrome were also recently updated to fix this vulnerability.