today we are updating the Stable channel with some important security fixes. We also repaired bugs in Windows installer.
In recent weeks a lot has been written about the security flaws in modern processors codenamed “Meltdown” and “Spectre”. Fully addressing these flaws is something that will take a long time, potentially requiring redesigned hardware, but as a browser vendor we have a duty to protect our users despite the circumstances so we are not waiting.
The information leak happens because certain machinecode takes different amounts of time to execute depending on the value of otherwise secret memory. That way you can deduce what the value of that secret memory is.
In today’s Opera 50 update we have a fix that blunts the main tool for the attack: The very high precision timer you get with performance.now().
After the change, performance.now() has a precision of 100μs and additionally it has received a small amount of randomness in it. That will make the attacks both much harder and less efficient.
It is likely that the timer change is enough to make attacks inefficient enough to not at all be practical but we are going to implement further mitigations in Opera 51.