Mozilla Confirms: Intel CPU Vulnerability Could Be Used To Extract User Information

Intel CPU Vulnerability

Mozilla confirmed that the recent Meltdown and Specter vulnerabilities in the entire platform could be used to extract user login information. Although the probability of this happening is very small, it has proved that there is indeed such a potential safety hazard.

 

Mozilla via multiple JavaScript script file to confirm the feasibility of this attack, if the web creator for malicious purposes, can extract arbitrary visitors related information. However, the probability of this situation is extremely small, first and foremost software and firmware are not updated, and the hardware is produced over the past 20 years.

Luke Wagner, a software engineer at Mozilla, confirmed in a blog post:”Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins.”

Image: windowscentral

Today, Mozilla has been released Firefox v57.0.4 to fix Meltdown and Spectre vulnerabilities.

Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox.  This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with 57:

–  The resolution of performance.now() will be reduced to 20µs.
–  The SharedArrayBuffer feature is being disabled by default.

Reference: bleepingcomputer