"Meltdown"/"Spectre" and Pale Moon/Basilisk

Pale Moon releases and site news
User avatar
Pale Moon guru
Pale Moon guru
Posts: 21186
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E

"Meltdown"/"Spectre" and Pale Moon/Basilisk

Postby Moonchild » Fri, 05 Jan 2018, 09:39

After confirmation that the "Meltdown" and "Spectre" CPU vulnerabilities could be exploited via the web, we have immediately taken action to investigate impact on Pale Moon and Basilisk. The web-based exploits either need very accurate timing through performance timers or a way to construct their own very accurate timers using shared buffer memory between threads in JavaScript.

Pale Moon isn't vulnerable

Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.

Basilisk has been updated

Basilisk has been updated with a release (2018.01.05) to mitigate these timing attacks.
It has been patched to make the performance timers sufficiently coarse to make them unusable for these kinds of attacks. This patch was already slated for Basilisk, but was now given high priority.
This update to Basilisk also disables shared memory in JavaScript to prevent the "SharedArrayBuffer" attack.

After updating Basilisk you should be fully protected from any potential exploits based on these CPU flaws. We'll continue to keep a close eye on developments in other browsers and update the developing platform as-necessary.
Last edited by Moonchild on Fri, 05 Jan 2018, 11:47, edited 1 time in total.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"The wisest men follow their own direction." - Euripedes

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 30 guests