![undo firefox update 2018 undo firefox update 2018](https://content.nexus.support.com/5b557b9559124044bb566bfc31a09c80/098c4830c2ad11e9bb72cdc9c0bbdb52.png)
In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. The SharedArrayBuffer feature is being disabled by default.įurthermore, other timing sources and time-fuzzing techniques are being worked on.(UPDATE: see the MDN documentation for performance.now for up-to-date precision information.) The resolution of performance.now() will be reduced to 20µs.Specifically, in all release channels, starting with 57: This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox.
#UNDO FIREFOX UPDATE 2018 FULL#
The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs.