Mozilla has removed what it calls ‘dangerous artifacts’ from its codebase in order to harden Firefox’s defences against code injection attacks.
When the Firefox browser is installed it also comes with a host of built-in pages that give users access to functions and information such as network details, downloads, plug-ins, memory and performance data.
Theses about:pages, 45 in all, are written in JavaScript and HTML and as such are susceptible to exploits by hackers. Code injection attacks take advantage of the inner workings of HTML and JavaScript and how they executions codes and functions, the vulnerability allows an attacker to insert in their own code to exploit the system.
In a security blog Mozilla expressed concern that “if an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user.”
For all 45 about: pages Mozilla has rewritten all of its inline event handlers and moved all of its inline Javascript code into packaged files.
Doing so means that JavaScript will only execute code when it’s loaded in from a packaged source that is using the chrome: protocol.
Having the possibility for this type of arbitrary code execution is a security risk. Removing the inline script from all of the about:pages reduces the attack surface on show to threat actors and forces them to try to exploit the browser in order more complicated methods.
Content security lead at Mozilla, Christoph Kerschbaumer, notes that removing the inline code “allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute.”
Mozilla Security Removes eval() Functions
The security team at Firefox appears to have taken a long look at how the JavaScript code is operating within their platform as they have also decided to rewrite all uses of ‘eval()’-like functions belonging to parent process and privileged contexts on the system.
The JavaScript eval() function essentially evaluates entire strings of code before executing them. The issue is that when it executes code it does so with a high level of security clearance.
In order to minimise the risk to users from hackers exploiting this function in the platforms codebase; the security team at Firefox have rewritten important security sections of ‘eval()’-like functions. They have also added ‘assertions’ which operate at runtime and check the condition of script and will disallow the use of eval() functions.
In what they describe as ‘unexpectedly’ the security team discovered that their platform was receiving calls to execute eval() functions from outside of its codebase.
Highlighting their discovery the team commented that a while ago: “Firefox supported a mechanism which allowed you to execute user-supplied JavaScript in the execution context of the browser. Back then this feature, now considered a security risk, allowed you to customize Firefox at start up time and was called userChrome.js.”
“After that mechanism was removed, users found a way to accomplish the same thing through a few other unintended tricks. Unfortunately we have no control of what users put in these customization files, but our runtime checks confirmed that in a few rare cases it included eval. When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval().”
The Mozilla security team says that they will continue to audit the platform moving forward in order to build in harden Firefox’s overall security.