Spectre side-channel attack in Mozilla Firefox and Firefox ESR - #VU9870
Published: January 4, 2018 / Updated: January 4, 2018
Vulnerability identifier: #VU9870
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: N/A
CWE-ID: CWE-385
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Mozilla Firefox
Firefox ESR
Mozilla Firefox
Firefox ESR
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Intel processor microcode, which can lead to timing side-channel attack and data extraction from modern CPUs.
The vulnerability is dubbed "Spectre". The PoC-code was created in JavaScript, which demonstrated possibility of the attack.
The vulnerability exists due to an error in Intel processor microcode, which can lead to timing side-channel attack and data extraction from modern CPUs.
The vulnerability is dubbed "Spectre". The PoC-code was created in JavaScript, which demonstrated possibility of the attack.
Remediation
Update to version 57.0.4.