Detections
Analytics

FreeBSD : mozilla -- Speculative execution side-channel attack (8429711b-76ca-474e-94a0-6b980f1e2d47)

high Nessus Plugin ID 105625

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Mozilla Foundation reports :

Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other websites (violating the same-origin policy) or private data from the browser itself.

Since this new class of attacks involves measuring precise time intervals, as a parti al, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5ms to 20ms, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.

Solution

Update the affected packages.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

http://www.nessus.org/u?cb97ca93

Plugin Details

Severity: High

ID: 105625

File Name: freebsd_pkg_8429711b76ca474e94a06b980f1e2d47.nasl

Version: 3.3

Type: local

Published: 1/8/2018

Updated: 11/21/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:firefox, p-cpe:/a:freebsd:freebsd:waterfox, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/5/2018

Vulnerability Publication Date: 1/4/2018