Advertisement

Firefox 57.0.4 released with Meltdown and Spectre attack workaround

Mozilla today released a new version of their Firefox browser. It offers extra protection against the serious security issues recently found in Intel CPUs. The updated release has a workaround for Meltdown and Spectre vulnerabilities.

Advertisеment

Firefox Quantum Logo Banner

If you are not aware about the Meltdown and Spectre vulnerabilities, we have covered them in detail in these two articles:

In short, both Meltdown and Spectre vulnerabilities allow a process to read the private data of any other process, even from outside a virtual machine. This is possible due to Intel's implementation of how their CPUs prefetch data. This cannot be fixed by patching the OS only. The fix involves updating the OS kernel, as well as a CPU microcode update and possibly even a UEFI/BIOS/firmware update for some devices, to fully mitigate the exploits.

The attack can be performed even with JavaScript using a browser. In order to minimize the attack vector, Mozilla has released an update to the Firefox browser which mitigates the issue.

The official announcement claims that both attacks rely on precise timing, so disabling or reducing the precision of several time sources in Firefox helps.

The announcement says:

The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with Firefox 57:

The resolution of performance.now() will be reduced to 20µs.
The SharedArrayBuffer feature is being disabled by default.

The updated version of the Firefox browser is now available for download for all supported operating systems and via the automatic update system on Windows. If you are a Firefox user, ensure that you have installed the latest version of the app, or the Mozilla Maintenance Service is installed and running, so it will update automatically.

Microsoft Edge, Internet Explorer and Google Chrome were also recently updated to fix this vulnerability.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisеment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

2 thoughts on “Firefox 57.0.4 released with Meltdown and Spectre attack workaround”

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.