"Meltdown"/"Spectre" and Pale Moon/Basilisk

Pale Moon releases and site news
User avatar
Pale Moon guru
Pale Moon guru
Posts: 35234
Joined: 2011-08-28, 17:27
Location: Motala, SE

"Meltdown"/"Spectre" and Pale Moon/Basilisk

Unread post by Moonchild » 2018-01-05, 09:39

After confirmation that the "Meltdown" and "Spectre" CPU vulnerabilities could be exploited via the web, we have immediately taken action to investigate impact on Pale Moon and Basilisk. The web-based exploits either need very accurate timing through performance timers or a way to construct their own very accurate timers using shared buffer memory between threads in JavaScript.

Pale Moon isn't vulnerable

Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.

Basilisk has been updated

Basilisk has been updated with a release (2018.01.05) to mitigate these timing attacks.
It has been patched to make the performance timers sufficiently coarse to make them unusable for these kinds of attacks. This patch was already slated for Basilisk, but was now given high priority.
This update to Basilisk also disables shared memory in JavaScript to prevent the "SharedArrayBuffer" attack.

After updating Basilisk you should be fully protected from any potential exploits based on these CPU flaws. We'll continue to keep a close eye on developments in other browsers and update the developing platform as-necessary.
Last edited by Moonchild on 2018-01-05, 11:47, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite