FYI, Mozilla has included two mitigations for Spectre in Firefox 57.0.4. They are described here:
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ The blog post notes that one of the mitigations, disabling SharedArrayBuffer, is not applicable to Firefox 52 ESR because that version doesn't support SharedArrayBuffer. The other mitigation reduces the resolution of performance.now() to 20 microseconds. This change is included in Firefox 57.0.4, and will eventually be included in Firefox 52.6 ESR due to be released on Jan 23. I didn't want to wait that long, so I backported this second mitigation to GNU IceCat, which was quite easy. It's now included in the IceCat package in GNU Guix, along with 100 other fixes cherry-picked from upstream. I've attached the patch to this email in case it is of interest. I also recommend that you install NoScript and avoid running Javascript code from the network whenever you can avoid it. Even with this mitigation applied, there are probably other ways to exploit these flaws using Javascript. Mark
Mitigate Spectre by reducing the resolution of performance.now() to 20 microseconds. Based on: https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8 For more details, see: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ This patch was modified to apply cleanly to GNU IceCat. # HG changeset patch # User Tom Ritter <[email protected]> # Date 1514660820 21600 # Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6 # Parent 6caa457ebedc915b43dc1d054b8fe22e82ca7447 Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard The comment about workers was introduced in Bug 1186489 but became obsolete some time after that (definitely by Bug 1278838) diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp --- a/dom/performance/Performance.cpp +++ b/dom/performance/Performance.cpp @@ -234,20 +234,19 @@ Performance::ClearResourceTimings() { MOZ_ASSERT(NS_IsMainThread()); mResourceEntries.Clear(); } DOMHighResTimeStamp Performance::RoundTime(double aTime) const { - // Round down to the nearest 5us, because if the timer is too accurate people - // can do nasty timing attacks with it. See similar code in the worker - // Performance implementation. - const double maxResolutionMs = 0.005; + // Round down to the nearest 20us, because if the timer is too accurate people + // can do nasty timing attacks with it. + const double maxResolutionMs = 0.020; return floor(aTime / maxResolutionMs) * maxResolutionMs; } void Performance::Mark(const nsAString& aName, ErrorResult& aRv) { // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003.
-- http://gnuzilla.gnu.org
