Cyber-security researchers recently discovered a series of security vulnerabilities involving ‘speculative execution’, which is an optimization technique for high-performance execution on modern logic chips that need to be more performance-orientated than the relatively simpler embedded microcontrollers.
The flaws can, in theory, allow any software or web-app to potentially view the layout or contents of protected kernel memory that has access to passwords, login credentials and other sensitive data.
Termed ‘Spectre’ and ‘Meltdown’, the exploits affect not just a whole bunch of the x86 CPUs from Intel (from as far back as 1995), but dozens of different chips from a number of vendors. While the latter affects some of ARM’s chips alongside those from Intel, the former is also said to affect chips from AMD and POWER (in addition to those from Intel and ARM), making them a clear and present danger to millions of computing devices worldwide.
While Microsoft, Apple and Google have all either already rolled out updates to fix the bug or are in the process of doing so in the near future, it’s definitely expected to slow down the affected systems significantly.
Software vendors are also scampering to roll out updates to their products in order to stop web-based execution vectors for the two vulnerabilities, with Mozilla being the latest one to announce a patch for the twin threat. The company has just rolled out the latest installment of Firefox (version 57.0.4) that disables the JavaScript features required for the Meltdown and Spectre timing attacks.
It is, however, believed to be an initial workaround with a more comprehensive fix expected to be rolled out in the near future. Mozilla had earlier officially confirmed that the bugs can be exploited via JavaScript files to extract personally-identifiable information from internet users.
You can download the desktop version of Mozilla Firefox 57.0.4 from the official source by clicking thru this link, while mobile users can go over to the Play Store to download the latest version of the app.