توسعه دهندگان فایرفاکس محافظت بیشتری در برابر حملات تزریق کد ایجاد می کنند

Mozilla developers have strengthened Firefox’s protection against code injection attacks by banning the use of inline scripts and eval() functions on browser service pages. Innovations will not allow attackers to execute a malicious command, change browser settings and steal important data.

Both options, which were removed by experts, allow executing code in the context of the application with its privilege level. مطابق با Christoph Kerschbaumer, Mozilla’s technical security manager for content, the new measures are aimed at reducing the potential attack areanow there will be less opportunity for attackers to abuse browser capabilities.

Christoph Kerschbaumer

Christoph Kerschbaumer

“A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions”, - writes Christoph Kerschbaumer.

Firefox has 45 built-in about: service pages, many of which provide access to important technical data. مثلا, در باره: config allows the user to change key browser settings, در باره: memory, he can monitor memory consumption, در باره: networking displays information about the network.

All of these pages are written in HTML and JavaScript. از این رو, an attacker can try to inject their own code into them, which will then be executed with the same rights that Firefox works with. The exclusion of inline scripts and eval functions blocks such a threat.

همچنین بخوانید: Google has figured out how to force sites switch to HTTPS

Now all JavaScript code will be executed only if it has been downloaded through the browser’s internal protocol. To do this, Mozilla developers rewrote all event handlers and transferred the built-in JavaScript scripts to packed files for all the service pages. علاوه بر این, the ability to perform eval and similar functions in the context of any process running with system privileges was excluded.

Specialists have also provided some exceptions to the new rules.

“Some users use an external eval function call to customize Firefox when the browser starts. This replaces it with the userChrome.js component, which was blocked some time ago for security reasons. In this case, the new blocker will allow the execution of eval()”, – explained Christoph Kerschbaumer.

Changes will not affect the display of Internet sites in Firefox. At the same time, developers intend to monito, how potentially dangerous functions are used in third-party extensions and plug-ins. If attackers find a new way to use these commands, the browser will send notifications to the Mozilla security team.

درباره نویسنده

والدیس کوک

مهندس امنیت, مهندسی معکوس و پزشکی قانونی حافظه

پیام بگذارید