[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] Spectre mitigation for IceCat
|
From: |
Antonio Trande |
|
Subject: |
Re: [Bug-gnuzilla] Spectre mitigation for IceCat |
|
Date: |
Sun, 7 Jan 2018 11:44:11 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 |
On 07/01/2018 04:46, Mark H Weaver wrote:
> FYI, Mozilla has included two mitigations for Spectre in Firefox 57.0.4.
> They are described here:
>
>
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
> https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
>
> The blog post notes that one of the mitigations, disabling
> SharedArrayBuffer, is not applicable to Firefox 52 ESR because that
> version doesn't support SharedArrayBuffer.
>
> The other mitigation reduces the resolution of performance.now() to 20
> microseconds. This change is included in Firefox 57.0.4, and will
> eventually be included in Firefox 52.6 ESR due to be released on Jan 23.
>
> I didn't want to wait that long, so I backported this second mitigation
> to GNU IceCat, which was quite easy. It's now included in the IceCat
> package in GNU Guix, along with 100 other fixes cherry-picked from
> upstream. I've attached the patch to this email in case it is of
> interest.
>
> I also recommend that you install NoScript and avoid running Javascript
> code from the network whenever you can avoid it. Even with this
> mitigation applied, there are probably other ways to exploit these flaws
> using Javascript.
>
> Mark
>
>
Great!
Thank you Mark.
--
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x5E212EE1D35568BE
GPG key server: https://keys.fedoraproject.org/
signature.asc
Description: OpenPGP digital signature