Patch for Meltdown / Spectre Vulnerability Planned for Firefox ESR v52.5?
Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5?
I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57".
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7
Isisombululo esikhethiwe
All Replies (10)
hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.
Isisombululo Esikhethiwe
I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state:
"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018."
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7
If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.
AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.
My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <here>) was not pushed out to FF ESR users at the same time.
The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution.
32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7
Okulungisiwe
There was no 52.5.4 ESR update because it was not needed at the time.
Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
userht said
Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.
userht said
Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
Hi userht:
The Mozilla Foundation Security Advisory 2018-01 now states that "the precision of performance.now() has been reduced from 5μs to 20μs" to mitigate the Spectre vulnerability in Firefox ESR v52.6.0 (released today, 23-Jan-2018). That security advisory also confirms that "SharedArrayBuffer is already disabled in Firefox 52 ESR ".
32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7