Firefox 57.0.4 is out to fix the Meltdown and Spectre timing attacks

REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/

0
WaltS48
1/5/2018 12:32:59 AM
mozilla.support.firefox 24082 articles. 6 followers. Post Follow

18 Replies
23 Views

Similar Articles

[PageSpeed] 55

On 05.01.2018 01:32, WaltS48 wrote:
> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/

I'd rather call it a mitigation than a fix.
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

0
Christian
1/5/2018 12:16:21 PM
On 01/05/18 13:16, Christian Riechers wrote:
> On 05.01.2018 01:32, WaltS48 wrote:
>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
> 
> I'd rather call it a mitigation than a fix.
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
> 

What about ESR? Are we seeing a 52.somethins?

  bye & Thanks
	av.
0
Andrea
1/5/2018 12:19:39 PM
On 1/5/18 7:16 AM, Christian Riechers wrote:
> On 05.01.2018 01:32, WaltS48 wrote:
>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
> I'd rather call it a mitigation than a fix.
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>
The Subject was already too long. ;-)

0
WaltS48
1/5/2018 2:19:56 PM
My bloviated meandering follows what Andrea Venturoli graced us with on 
1/5/2018 4:19 AM:
> On 01/05/18 13:16, Christian Riechers wrote:
>> On 05.01.2018 01:32, WaltS48 wrote:
>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
>>
>> I'd rather call it a mitigation than a fix.
>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ 
>>
>>
> 
> What about ESR? Are we seeing a 52.somethins?
> 
I'm a bit surprised that a simultaneous patch didn't occur for both; 
especially considering that the ESR channel was implemented primarily 
for the business community.

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/5/2018 5:13:01 PM
Sailfish wrote:
> Andrea Venturoli wrote:
>> Christian Riechers wrote:
>>> WaltS48 wrote:
>>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
>>>
>>> I'd rather call it a mitigation than a fix.
>>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ 
>>
>> What about ESR? Are we seeing a 52.somethins?
>
> I'm a bit surprised that a simultaneous patch didn't occur for both; 
> especially considering that the ESR channel was implemented primarily 
> for the business community.

One may wonder first how widespread FF is in that community,
and second is just a mitigation in just one browser would do
for that community.

-p

0
PietB
1/5/2018 6:36:09 PM
My bloviated meandering follows what PietB graced us with on 1/5/2018 
10:36 AM:
> Sailfish wrote:
>> Andrea Venturoli wrote:
>>> Christian Riechers wrote:
>>>> WaltS48 wrote:
>>>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
>>>> I'd rather call it a mitigation than a fix.
>>>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ 
>>> What about ESR? Are we seeing a 52.somethins?
>> I'm a bit surprised that a simultaneous patch didn't occur for both; 
>> especially considering that the ESR channel was implemented primarily 
>> for the business community.
> 
> One may wonder first how widespread FF is in that community,
> and second is just a mitigation in just one browser would do
> for that community.
> 
Perhaps, but if it turns out that if any Enterprise company gets hacked 
via the 52ESR javascript hole, Mozilla could be held liable for 
deferring a fix, no?

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/5/2018 8:19:17 PM
On Fri, 5 Jan 2018 13:19:39 +0100, Andrea Venturoli wrote:

> What about ESR? Are we seeing a 52.somethins?

Maybe it's Mozilla's way of convincing us to switch to 57.x? :-o

-- 
s|b
0
s
1/5/2018 10:14:07 PM
On 1/5/18 7:19 AM, Andrea Venturoli wrote:
> On 01/05/18 13:16, Christian Riechers wrote:
>> On 05.01.2018 01:32, WaltS48 wrote:
>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
>>
>> I'd rather call it a mitigation than a fix.
>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ 
>>
>>
>
> What about ESR? Are we seeing a 52.somethins?
>
>  bye & Thanks
>     av.


 From the Security Advisory.

> |SharedArrayBuffer| is already disabled in Firefox 52 ESR.

REF: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/


0
WaltS48
1/5/2018 10:53:13 PM
This is a multi-part message in MIME format.
--------------A9EF032DD16E7E669DBAF090
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 05/01/2018 12:19, Andrea Venturoli wrote:
>
> What about ESR? Are we seeing a 52.somethins?
>
>

If you are using some Intel Processor then try using their tool to see 
if your machine is vulnerable:

<https://downloadcenter.intel.com/download/27150>

They have got tools for Linux ( command line only ) as well as Windows ( 
GUI and command line ).

Frankly, there is n need to have sleepless nights about this. Nobody has 
been attacked since 1995 and so when you buy a new machine, you are 
likely to get a new processor with no problems!!!


-- 
With over 600 million devices now running Windows 10, customer 
satisfaction is higher than any previous version of windows.

--------------A9EF032DD16E7E669DBAF090
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FCFBE3">
    <div class="moz-cite-prefix">On 05/01/2018 12:19, Andrea Venturoli
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:mailman.610.1515154809.2364.support-firefox@lists.mozilla.org"><br>
      What about ESR? Are we seeing a 52.somethins?
      <br>
      <br>
      <br>
    </blockquote>
    <br>
    If you are using some Intel Processor then try using their tool to
    see if your machine is vulnerable:<br>
    <br>
    <a class="moz-txt-link-rfc2396E" href="https://downloadcenter.intel.com/download/27150">&lt;https://downloadcenter.intel.com/download/27150&gt;</a><br>
    <br>
    They have got tools for Linux ( command line only ) as well as
    Windows ( GUI and command line ).<br>
    <br>
    Frankly, there is n need to have sleepless nights about this. 
    Nobody has been attacked since 1995 and so when you buy a new
    machine, you are likely to get a new processor with no problems!!!<br>
    <br>
    <br>
    <div class="moz-signature">-- <br>
      <div style="width: 330px; background-color: blue; color:
        yellow;font-weight: bolder; font-size:150%; text-align: center;
        margin: 30px 5px 30px 5px;">With over 600 million devices now
        running Windows 10, customer satisfaction is higher than any
        previous version of windows.</div>
    </div>
  </body>
</html>

--------------A9EF032DD16E7E669DBAF090--
0
Good
1/5/2018 10:59:37 PM
My bloviated meandering follows what WaltS48 graced us with on 1/5/2018 
2:53 PM:
> On 1/5/18 7:19 AM, Andrea Venturoli wrote:
>>
>> What about ESR? Are we seeing a 52.somethins?
>>
>>  bye & Thanks
>>     av.
> 
> 
>  From the Security Advisory.
> 
>> |SharedArrayBuffer| is already disabled in Firefox 52 ESR.
> 
> REF: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
> 
Thanks Walt, however, that description is fairly vague and imprecise, 
what with words like, 'partial' and 'mitigation' being used. Do you know 
if this is effectively the same stop-gap patch that was recently patched 
on Fx57?

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/6/2018 12:21:26 AM
WaltS48 wrote:

> Andrea Venturoli wrote:
>
>> What about ESR? Are we seeing a 52.somethins?
> 
>   From the Security Advisory.
> 
>> |SharedArrayBuffer| is already disabled in Firefox 52 ESR.

But the timer resolution isn't decreased and artificially jittered?

0
Andy
1/6/2018 12:23:33 AM
On 1/5/18 7:21 PM, Sailfish wrote:
> My bloviated meandering follows what WaltS48 graced us with on 
> 1/5/2018 2:53 PM:
>> On 1/5/18 7:19 AM, Andrea Venturoli wrote:
>>>
>>> What about ESR? Are we seeing a 52.somethins?
>>>
>>>  bye & Thanks
>>>     av.
>>
>>
>>  From the Security Advisory.
>>
>>> |SharedArrayBuffer| is already disabled in Firefox 52 ESR.
>>
>> REF: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
>>
> Thanks Walt, however, that description is fairly vague and imprecise, 
> what with words like, 'partial' and 'mitigation' being used. Do you 
> know if this is effectively the same stop-gap patch that was recently 
> patched on Fx57?
>

AIUI there is no patch for ESR, because it isn't needed with the buffer 
disabled.

That advisory is for Fx57.

0
WaltS48
1/6/2018 12:43:12 AM
My bloviated meandering follows what WaltS48 graced us with on 1/5/2018 
4:43 PM:
> On 1/5/18 7:21 PM, Sailfish wrote:
>> My bloviated meandering follows what WaltS48 graced us with on 
>> 1/5/2018 2:53 PM:
>>> On 1/5/18 7:19 AM, Andrea Venturoli wrote:
>>>>
>>>> What about ESR? Are we seeing a 52.somethins?
>>>>
>>>>  bye & Thanks
>>>>     av.
>>>
>>>
>>>  From the Security Advisory.
>>>
>>>> |SharedArrayBuffer| is already disabled in Firefox 52 ESR.
>>>
>>> REF: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
>>>
>> Thanks Walt, however, that description is fairly vague and imprecise, 
>> what with words like, 'partial' and 'mitigation' being used. Do you 
>> know if this is effectively the same stop-gap patch that was recently 
>> patched on Fx57?
>>
> 
> AIUI there is no patch for ESR, because it isn't needed with the buffer 
> disabled.
> 
> That advisory is for Fx57.
> 
Okay, my misunderstanding.

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/6/2018 1:09:34 AM
In article <mailman.627.1515193210.2364.support-firefox@lists.mozilla.org>,
   Good Guy <Hello.World@example.com> wrote:
[Snippy]
> Frankly, there is n need to have sleepless nights about this. Nobody has 
> been attacked since 1995 and so when you buy a new machine, you are 
> likely to get a new processor with no problems!!!

While I agree with the sentiment about the past processors, and to not
become a chicken without a head... A little caution note about news
processors might be in order.

The Intel Skylake and Kabylake security flaw is quite recent.

Dor

-- 

Dave Ormail
0
Ormail
1/6/2018 6:06:55 AM
*-* On Fri, 5 Jan 2018, at 13:19:39 +0100,
*-* In Article 
<mailman.610.1515154809.2364.support-firefox@lists.mozilla.org>,
*-* Andrea Venturoli wrote
*-* About Re: Firefox 57.0.4 is out to fix the Meltdown and Spectre 
timing attacks

> On 01/05/18 13:16, Christian Riechers wrote:
>> On 05.01.2018 01:32, WaltS48 wrote:
>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/

>> I'd rather call it a mitigation than a fix.
>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

> What about ESR? Are we seeing a 52.somethins?

      From the security blog linked above by Christian:

"Firefox 52 ESR does not support SharedArrayBuffer and is less at
risk; the performance.now() mitigations will be included in the
regularly scheduled Firefox 52.6 ESR release on January 23, 2018".

                                         Ken Whiton
-- 
     FIDO: 1:132/152
InterNet: kenwhiton@surfglobal.net.INVAL (remove the obvious to reply)
0
Ken
1/6/2018 8:21:25 AM
Ormail wrote:
> Good Guy wrote:
>> Frankly, there is n need to have sleepless nights about this.
>> Nobody has been attacked since 1995 and so when you buy a new
>> machine, you are likely to get a new processor with no problems!!!
> 
> While I agree with the sentiment about the past processors, and to
> not become a chicken without a head... A little caution note about
> news processors might be in order.

Thunderbird is my news processor. ;-)

> The Intel Skylake and Kabylake security flaw is quite recent.

If you'd buy a new Intel-based computer today, chances are zero
that it will have a processor without the flaw. Quite a different
story is if you'd get a replacement processor for free once flaw-
free versions are available. In a sense this reminds me of the
time when certain Intel processors were found to have a flaw in
the FPU.

-p

0
PietB
1/6/2018 9:24:57 AM
My bloviated meandering follows what PietB graced us with on 1/6/2018 
1:24 AM:
> 
> If you'd buy a new Intel-based computer today, chances are zero
> that it will have a processor without the flaw. Quite a different
> story is if you'd get a replacement processor for free once flaw-
> free versions are available. In a sense this reminds me of the
> time when certain Intel processors were found to have a flaw in
> the FPU.
> 
Have you read anything definitive where Intel or other manufacturers are 
planning on free cpu replacements?

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/6/2018 2:48:18 PM
My bloviated meandering follows what Ken Whiton graced us with on 
1/6/2018 12:21 AM:
> <mailman.610.1515154809.2364.support-firefox@lists.mozilla.org>,
> *-* Andrea Venturoli wrote
> 
>> On 01/05/18 13:16, Christian Riechers wrote:
>>> On 05.01.2018 01:32, WaltS48 wrote:
>>>> REF: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
> 
>>> I'd rather call it a mitigation than a fix.
>>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ 
>>>
> 
>> What about ESR? Are we seeing a 52.somethins?
> 
>      From the security blog linked above by Christian:
> 
> "Firefox 52 ESR does not support SharedArrayBuffer and is less at
> risk; the performance.now() mitigations will be included in the
> regularly scheduled Firefox 52.6 ESR release on January 23, 2018".
> 
+1

-- 
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
0
Sailfish
1/6/2018 2:50:05 PM
Reply: