Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Patch for Meltdown / Spectre Vulnerability Planned for Firefox ESR v52.5?

  • 10 replies
  • 10 have this problem
  • 30 views
  • Last reply by lmacri

more options

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5?

I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57".


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5? I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57". ------------ 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

All Replies (10)

more options

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.

more options

Chosen Solution

more options

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state:

"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018."


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

more options

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.

more options

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

more options

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <here>) was not pushed out to FF ESR users at the same time.

The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution.


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

Modified by lmacri

more options

There was no 52.5.4 ESR update because it was not needed at the time.

more options

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

more options

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

more options

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Hi userht:

The Mozilla Foundation Security Advisory 2018-01 now states that "the precision of performance.now() has been reduced from 5μs to 20μs" to mitigate the Spectre vulnerability in Firefox ESR v52.6.0 (released today, 23-Jan-2018). That security advisory also confirms that "SharedArrayBuffer is already disabled in Firefox 52 ESR ".


32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7