Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mozilla Hardens Firefox Against Injection Attacks

Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.

Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.

The first codebase change impacts the built-in about:pages that Firefox ships with, and which were designed to provide an interface to the internal state of the browser. about:config is the best known of them, designed to help Firefox users customize the browser. 

Given that these about: pages are implemented using HTML and JavaScript, they are prone to the same vulnerabilities as regular web pages, and are not safe from code injection attacks either. 

Thus, if an attacker can inject code into an about: page, they can potentially execute the code in the security context of the browser itself, ultimately being able to perform arbitrary actions on the behalf of the user.

Now, Mozilla says they rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all of the 45 about: pages in Firefox. 

The result was the ability to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:,’ which prevents injected JavaScript code from executing. 

“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla content security tech lead Christoph Kerschbaumer explains. 

The second change in Firefox impacts the JavaScript function eval(), which parses and executes an arbitrary string in the same security context as itself. While it allows for the execution of runtime-generated code and that of code stored in non-script locations, it also introduces attack surface for code injection.

Advertisement. Scroll to continue reading.

“To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts,” Kerschbaumer notes. 

While making these changes, Mozilla also discovered that there were some calls to eval() outside of their codebase, due to an older mechanism that allowed users to execute their own JavaScript in the context of the browser. 

The feature was meant for customizations at startup time, but is now considered a security risk. The mechanism has been removed, but users started using some other tricks to achieve the same customizations, including the use of eval. Thus, Firefox will disable the blocking mechanism and allow usage of eval() when such tricks are detected. 

The eval() assertions will continue to inform the Mozilla Security Team of unknown instances of eval(), which will be closely audited and evaluated, and possibly restricted as the Firefox Security Landscape is hardened. 

Related: DNS-over-HTTPS Coming to Firefox

Related: Firefox Update to Address Antivirus TLS Errors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.