Bug 1265785 - (CVE-2015-7327) CVE-2015-7327 Mozilla: Information disclosure via the High Resolution Time API (MFSA 2015-114)
CVE-2015-7327 Mozilla: Information disclosure via the High Resolution Time AP...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150922,repor...
: Reopened, Security
Depends On:
Blocks: 1261782
  Show dependency treegraph
 
Reported: 2015-09-23 14:14 EDT by Prasad J Pandit
Modified: 2016-11-08 10:56 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-24 12:30:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Prasad J Pandit 2015-09-23 14:14:38 EDT
Security researchers Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan,
Angelos D. Keromytis of Columbia University's Network Security Lab reported a
method of using the High Resolution Time API for side channel attacks. This
attack uses JavaScript loaded through a hostile web page to track access to
the last-level cache over a period of time as a user engages in other browser
activity. This attack takes advantage of the performance.now() API's use of
single nanosecond resolution for timing.

Security researcher Amit Klein independently reported use of the
performance.now() API on Windows systems to extract the Windows counter
frequency as an avenue for side channel attacks.

Both of these flaws allow for the disclosure of private information, user
fingerprinting, and data leakage. They have been addressed by reducing the
resolution of the performance.now()API to 5 microseconds to remove the
precision in resolution available to attackers.

The Windows counter frequency issue does not affect Linux or OS X systems.

External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-114/
Comment 1 Adam Mariš 2015-09-24 07:49:38 EDT
Closed by mistake, opening again.
Comment 2 Martin Prpič 2015-09-24 08:40:00 EDT
Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis of Columbia University's Network Security Lab, and Amit Klein as the original reporters.
Comment 3 Martin Prpič 2015-09-24 12:30:13 EDT
This issue was fixed in Firefox version 41.

Note You need to log in before you can comment on or make changes to this bug.