FreeBSD: VID-8429711B-76CA-474E-94A0-6B980F1E2D47: mozilla -- Speculative execution side-channel attack
Description
Mozilla Foundation reports:
Jann Horn of Google Project Zero
Security reported that speculative execution performed
by modern CPUs could leak information through a timing
side-channel attack. Microsoft Vulnerability Research
extended this attack to browser JavaScript engines and
demonstrated that code on a malicious web page could
read data from other web sites (violating the
same-origin policy) or private data from the browser
itself.
Since this new class of attacks involves measuring
precise time intervals, as a parti al, short-term,
mitigation we are disabling or reducing the precision of
several time sources in Firefox. The precision of
performance.now() has been reduced from 5μs
to 20μs, and the SharedArrayBuffer feature
has been disabled because it can be used to construct a
high-resolution timer.
Solution(s)
- freebsd-upgrade-package-firefox
- freebsd-upgrade-package-waterfox
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center