On 07/01/2018 04:46, Mark H Weaver wrote:
> FYI, Mozilla has included two mitigations for Spectre in Firefox 57.0.4.
> They are described here:
> 
>   
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>   https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
> 
> The blog post notes that one of the mitigations, disabling
> SharedArrayBuffer, is not applicable to Firefox 52 ESR because that
> version doesn't support SharedArrayBuffer.
> 
> The other mitigation reduces the resolution of performance.now() to 20
> microseconds.  This change is included in Firefox 57.0.4, and will
> eventually be included in Firefox 52.6 ESR due to be released on Jan 23.
> 
> I didn't want to wait that long, so I backported this second mitigation
> to GNU IceCat, which was quite easy.  It's now included in the IceCat
> package in GNU Guix, along with 100 other fixes cherry-picked from
> upstream.  I've attached the patch to this email in case it is of
> interest.
> 
> I also recommend that you install NoScript and avoid running Javascript
> code from the network whenever you can avoid it.  Even with this
> mitigation applied, there are probably other ways to exploit these flaws
> using Javascript.
> 
>      Mark
> 
> 

Great!
Thank you Mark.

-- 
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x5E212EE1D35568BE
GPG key server: https://keys.fedoraproject.org/

Attachment: signature.asc
Description: OpenPGP digital signature

--
http://gnuzilla.gnu.org

Reply via email to