Firefox 57.0.4 released with Meltdown and Spectre attack workaround

Mozilla today released a new version of their Firefox browser. It offers extra protection against the serious security issues recently found in Intel CPUs. The updated release has a workaround for Meltdown and Spectre vulnerabilities.

Firefox Quantum Logo Banner

If you are not aware about the Meltdown and Spectre vulnerabilities, we have covered them in detail in these two articles:

In short, both Meltdown and Spectre vulnerabilities allow a process to read the private data of any other process, even from outside a virtual machine. This is possible due to Intel's implementation of how their CPUs prefetch data. This cannot be fixed by patching the OS only. The fix involves updating the OS kernel, as well as a CPU microcode update and possibly even a UEFI/BIOS/firmware update for some devices, to fully mitigate the exploits.

The attack can be performed even with JavaScript using a browser. In order to minimize the attack vector, Mozilla has released an update to the Firefox browser which mitigates the issue.

The official announcement claims that both attacks rely on precise timing, so disabling or reducing the precision of several time sources in Firefox helps.

The announcement says:

The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with Firefox 57:

The resolution of performance.now() will be reduced to 20µs.
The SharedArrayBuffer feature is being disabled by default.

The updated version of the Firefox browser is now available for download for all supported operating systems and via the automatic update system on Windows. If you are a Firefox user, ensure that you have installed the latest version of the app, or the Mozilla Maintenance Service is installed and running, so it will update automatically.

Microsoft Edge, Internet Explorer and Google Chrome were also recently updated to fix this vulnerability.

2 thoughts on “Firefox 57.0.4 released with Meltdown and Spectre attack workaround

  1. n00b

    Really, just Intel?

    Reply
    1. Sergey Tkachenko Post author

      The recent post on Microsoft.com claims that AMD and ARM64 are also affected. At least some of them.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *