X
點擊此處開啟此網站的行動版。

技術支援討論區

Patch for Meltdown / Spectre Vulnerability Planned for Firefox ESR v52.5?

已張貼

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5?

I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57".


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5? I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57". ------------ 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

額外的系統細節

已安裝的外掛程式

  • iTunes Detector Plug-in

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 6.0; rv:52.0) Gecko/20100101 Firefox/52.0

更多資訊

philipp
  • Top 25 Contributor
  • Moderator
5320 個解決方法 23495 個答案

有幫助的回覆

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.
cor-el
  • Top 10 Contributor
  • Moderator
17565 個解決方法 158873 個答案

選擇的解決方法

See also: *https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

提出問題者

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state:

"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018."


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state: ''"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled '''Firefox 52.6 ESR''' release on '''January 23, 2018'''."'' --------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7
Shadow110 1072 個解決方法 14836 個答案

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.
James
  • Top 25 Contributor
  • Moderator
1600 個解決方法 11315 個答案

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

提出問題者

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <here>) was not pushed out to FF ESR users at the same time.

The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution.


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <[https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/ here]>) was not pushed out to FF ESR users at the same time. The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

由 lmacri 於 修改

James
  • Top 25 Contributor
  • Moderator
1600 個解決方法 11315 個答案

There was no 52.5.4 ESR update because it was not needed at the time.

There was no 52.5.'''4''' ESR update because it was not needed at the time.
userht 0 個解決方法 3 個答案

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
jscher2000
  • Top 10 Contributor
8783 個解決方法 71823 個答案

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

提出問題者

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Hi userht:

The Mozilla Foundation Security Advisory 2018-01 now states that "the precision of performance.now() has been reduced from 5μs to 20μs" to mitigate the Spectre vulnerability in Firefox ESR v52.6.0 (released today, 23-Jan-2018). That security advisory also confirms that "SharedArrayBuffer is already disabled in Firefox 52 ESR ".


32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> Hi userht: The [https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ Mozilla Foundation Security Advisory 2018-01] now states that "''the precision of '''performance.now()''' has been reduced from 5μs to 20μs''" to mitigate the Spectre vulnerability in '''Firefox ESR v52.6.0''' (released today, 23-Jan-2018). That security advisory also confirms that "'''''SharedArrayBuffer''' is already disabled in Firefox 52 ESR ''". ------------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7