Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0006 Mozilla Foundation Security Advisory 2018-01 5 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade Member content until: Sunday, February 4 2018 OVERVIEW Mozilla has released an update to Firefox to mitigate the Speculative execution side-channel attack ("Spectre"). [1] IMPACT Mozilla has provided the following details regarding the vulnerability: "Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer. SharedArrayBuffer is already disabled in Firefox 52 ESR." [1] MITIGATION Users are advised to the upgrade to Firefox 57.0.4 to address this vulnerability. REFERENCES [1] Mozilla Foundation Security Advisory 2018-01 https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWk7ywYx+lLeg9Ub1AQiOGQ/+NI76kwBQPqkWpnxWa67+a9q3IPQVHWxs VdQrYKVoondHi6RM0EnEqErkkdJ7H4qym8X4I1IBuB/Oqhq8QJV0cvycrlD6RkxI BZcy3sWc7uUIDMAP2oylB9g8vaEuN72IpL8a+CGovhJHd91KThg9rlMVk0IWw3nr R6TuQfchL2fqFGzl84gsyfxbueLWwJcQwRU6bTS+3pIHVmXk/ZlGWRAcVR+rDp5Y tsGITtY5GIqVgog8ljfZJlCo6Uh6rLN/P9Qlwlwz8MjQ3MCuyVYpSgw4Plb+p1hC oMaIFgkYs68O9aVGsC2FQXaU4VVS0YNnuuVARvQHMwHFbbm9Y4/TsfVSuP80JEft Y+0M0rfJI/Rt/ohnUaoJFvG//gBAW8nDvJAbAic9GMhtbRIqkX3mAwwEAuk22MJN Cgyx1KXjnGevqmxFQbPN9+ypqFHAZJ7n5eKBTBHRYOMtDm+ZXfnecycIcSeJ9a5b rtoK4Gor5sy6ojhqdYRExe3M5BDuC/dbgdskNOoJREuyPGxvODNn6/FA1WaD1Pco WhPDTRNBcGAtgSQa1Ijx9uqK4ouYSVj91BJMI9hQCdLBCMltiaMFl5R2x7st+uuG k4NkDLq3/PdqObBFsLI7PKxkYBnpuJzw1+rHqEltpksSnygbGEWO8bStjkkFNflh Gle0lYjii0A= =BX/A -----END PGP SIGNATURE-----