"Meltdown"/"Spectre" and Pale Moon/Basilisk
Posted: 2018-01-05, 09:39
After confirmation that the "Meltdown" and "Spectre" CPU vulnerabilities could be exploited via the web, we have immediately taken action to investigate impact on Pale Moon and Basilisk. The web-based exploits either need very accurate timing through performance timers or a way to construct their own very accurate timers using shared buffer memory between threads in JavaScript.
Pale Moon isn't vulnerable
Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.
Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.
Basilisk has been updated
Basilisk has been updated with a release (2018.01.05) to mitigate these timing attacks.
It has been patched to make the performance timers sufficiently coarse to make them unusable for these kinds of attacks. This patch was already slated for Basilisk, but was now given high priority.
This update to Basilisk also disables shared memory in JavaScript to prevent the "SharedArrayBuffer" attack.
After updating Basilisk you should be fully protected from any potential exploits based on these CPU flaws. We'll continue to keep a close eye on developments in other browsers and update the developing platform as-necessary.
Pale Moon isn't vulnerable
Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.
Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.
Basilisk has been updated
Basilisk has been updated with a release (2018.01.05) to mitigate these timing attacks.
It has been patched to make the performance timers sufficiently coarse to make them unusable for these kinds of attacks. This patch was already slated for Basilisk, but was now given high priority.
This update to Basilisk also disables shared memory in JavaScript to prevent the "SharedArrayBuffer" attack.
After updating Basilisk you should be fully protected from any potential exploits based on these CPU flaws. We'll continue to keep a close eye on developments in other browsers and update the developing platform as-necessary.