ASB-2018.0006 - [Win][UNIX/Linux] Mozilla Firefox: Access privileged data - Remote with user interaction 2018-01-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0006
               Mozilla Foundation Security Advisory 2018-01
                              5 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Access Privileged Data -- Remote with User Interaction
Resolution:           Patch/Upgrade
Member content until: Sunday, February  4 2018

OVERVIEW

        Mozilla has released an update to Firefox to mitigate the Speculative 
        execution side-channel attack ("Spectre"). [1]


IMPACT

        Mozilla has provided the following details regarding the vulnerability:
        
        "Jann Horn of Google Project Zero Security reported that speculative 
        execution performed by modern CPUs could leak information through a 
        timing side-channel attack. Microsoft Vulnerability Research extended
        this attack to browser JavaScript engines and demonstrated that code
        on a malicious web page could read data from other web sites
        (violating the same-origin policy) or private data from the browser
        itself.
        
        Since this new class of attacks involves measuring precise time
        intervals, as a partial, short-term, mitigation we are disabling or
        reducing the precision of several time sources in Firefox. The
        precision of performance.now() has been reduced from 5μs to 20μs, and
        the SharedArrayBuffer feature has been disabled because it can be
        used to construct a high-resolution timer.
        
        SharedArrayBuffer is already disabled in Firefox 52 ESR." [1]


MITIGATION

        Users are advised to the upgrade to Firefox 57.0.4 to address this 
        vulnerability.


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-01
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWk7ywYx+lLeg9Ub1AQiOGQ/+NI76kwBQPqkWpnxWa67+a9q3IPQVHWxs
VdQrYKVoondHi6RM0EnEqErkkdJ7H4qym8X4I1IBuB/Oqhq8QJV0cvycrlD6RkxI
BZcy3sWc7uUIDMAP2oylB9g8vaEuN72IpL8a+CGovhJHd91KThg9rlMVk0IWw3nr
R6TuQfchL2fqFGzl84gsyfxbueLWwJcQwRU6bTS+3pIHVmXk/ZlGWRAcVR+rDp5Y
tsGITtY5GIqVgog8ljfZJlCo6Uh6rLN/P9Qlwlwz8MjQ3MCuyVYpSgw4Plb+p1hC
oMaIFgkYs68O9aVGsC2FQXaU4VVS0YNnuuVARvQHMwHFbbm9Y4/TsfVSuP80JEft
Y+0M0rfJI/Rt/ohnUaoJFvG//gBAW8nDvJAbAic9GMhtbRIqkX3mAwwEAuk22MJN
Cgyx1KXjnGevqmxFQbPN9+ypqFHAZJ7n5eKBTBHRYOMtDm+ZXfnecycIcSeJ9a5b
rtoK4Gor5sy6ojhqdYRExe3M5BDuC/dbgdskNOoJREuyPGxvODNn6/FA1WaD1Pco
WhPDTRNBcGAtgSQa1Ijx9uqK4ouYSVj91BJMI9hQCdLBCMltiaMFl5R2x7st+uuG
k4NkDLq3/PdqObBFsLI7PKxkYBnpuJzw1+rHqEltpksSnygbGEWO8bStjkkFNflh
Gle0lYjii0A=
=BX/A
-----END PGP SIGNATURE-----

« Back to bulletins