Mozilla developers have strengthened Firefox’s protection against code injection attacks by banning the use of inline scripts and eval() functions on browser service pages. Innovations will not allow attackers to execute a malicious command, change browser settings and steal important data.
Both options, which were removed by experts, allow executing code in the context of the application with its privilege level. According to Christoph Kerschbaumer, Mozilla’s technical security manager for content, the new measures are aimed at reducing the potential attack area – now there will be less opportunity for attackers to abuse browser capabilities.
“A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions”, — writes Christoph Kerschbaumer.
Firefox has 45 built-in about: service pages, many of which provide access to important technical data. For example, about: config allows the user to change key browser settings, about: memory, he can monitor memory consumption, about: networking displays information about the network.
Specialists have also provided some exceptions to the new rules.
“Some users use an external eval function call to customize Firefox when the browser starts. This replaces it with the userChrome.js component, which was blocked some time ago for security reasons. In this case, the new blocker will allow the execution of eval()”, – explained Christoph Kerschbaumer.
Changes will not affect the display of Internet sites in Firefox. At the same time, developers intend to monito, how potentially dangerous functions are used in third-party extensions and plug-ins. If attackers find a new way to use these commands, the browser will send notifications to the Mozilla security team.