Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Mozilla hardening Firefox against Injection Attacks

4 Weeks Ago   #1
Brink

64-bit Windows 10 Pro
 
 
Mozilla hardening Firefox against Injection Attacks

Quote:
A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions.

Removing Inline Scripts and adding Guards to prevent Inline Script Execution

Firefox not only renders web pages on the internet but also ships with a variety of built-in pages, commonly referred to as about: pages. Such about: pages provide an interface to reveal internal state of the browser. Most prominently, about:config, which exposes an API to inspect and update preferences and settings which allows Firefox users to tailor their Firefox instance to their specific needs.

Since such about: pages are also implemented using HTML and JavaScript they are subject to the same security model as regular web pages and therefore not immune against code injection attacks. More figuratively, if an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user.

To better protect our users and to add an additional layer of security to Firefox, we rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all 45 about: pages. This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks.

Removing eval()-like Functions and adding Runtime Assertions to prevent eval()

The JavaScript function eval(), along with the similar ‘new Function’ and ‘setTimeout()/setInterval()’, is a powerful yet dangerous tool. It parses and executes an arbitrary string in the same security context as itself. This execution scheme conveniently allows executing code generated at runtime or stored in non-script locations like the Document-Object Model (DOM). The downside however is that ‘eval()’ introduces significant attack surface for code injection and we discourage its use in favour of safer alternatives.

To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts.

Unexpectedly, in our effort to monitor and remove all eval()-like functions we also encountered calls to eval() outside of our codebase. For some background, a long time ago, Firefox supported a mechanism which allowed you to execute user-supplied JavaScript in the execution context of the browser. Back then this feature, now considered a security risk, allowed you to customize Firefox at start up time and was called userChrome.js. After that mechanism was removed, users found a way to accomplish the same thing through a few other unintended tricks. Unfortunately we have no control of what users put in these customization files, but our runtime checks confirmed that in a few rare cases it included eval. When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval().

Going forward, our introduced eval() assertions will continue to inform the Mozilla Security Team of yet unknown instances of eval() which we will closely audit and evaluate and restrict as we further harden the Firefox Security Landscape.

For the Mozilla Security Team,

Vinothkumar Nagasayanan, Jonas Allmann, Tom Ritter, and Christoph Kerschbaumer


Source: Hardening Firefox against Injection Attacks | Mozilla Security Blog


My System SpecsSystem Spec
.
Reply

 Mozilla hardening Firefox against Injection Attacks




Thread Tools




Similar help and support threads
Thread Forum
Mozilla Firefox 5
I've just installed today firefox5. I was unhappy with it so i wanted to uninstall. Surprise. The following message appears " Your computer must be restarted to complete a previous upgrade of firefox. Do you want to reboot now? ". And this message keep comnig. I am restarting and firefox is still...
Browsers & Mail
Websites Hosted at Go Daddy Under Siege in Mass Injection Attacks
Websites Hosted at Go Daddy Under Siege in Mass Injection Attacks - Softpedia
System Security
UAC+Mozilla Firefox
Hey. Sometime during the last week was Mozilla Firefox into USC (user account control device) list, which means that I have to press yes every time I open a new window. I'm using Windows 7 (64bit) (Home Premium I think). This is not a vital, yet incredibly annoying when you want to hurry up a...
Browsers & Mail
Mozilla Firefox 3.6 Now Available!
Mozilla | Firefox web browser & Thunderbird email client Figured we could devote a whole new thread to the actual release...and maybe some cake That is what the IE guys send them with each release...
Browsers & Mail
Mozilla Firefox
I've been experiencing very slow start up times with firefox 3.5, so i googled a solution and came up with this: Workaround for Firefox 3.5 slow startups on Windows - Mozilla Links I followed the directions but couldn't seem to find some of the folders it suggested i took care of, using the...
Browsers & Mail


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:56.
Twitter Facebook