Firefox developers create additional protection against code injection attacks

Protection of Firefox from code injection
Written by Valdis Koks

Mozilla developers have strengthened Firefox’s protection against code injection attacks by banning the use of inline scripts and eval() functions on browser service pages. Innovations will not allow attackers to execute a malicious command, change browser settings and steal important data.

Both options, which were removed by experts, allow executing code in the context of the application with its privilege level. According to Christoph Kerschbaumer, Mozilla’s technical security manager for content, the new measures are aimed at reducing the potential attack area – now there will be less opportunity for attackers to abuse browser capabilities.

Christoph Kerschbaumer

Christoph Kerschbaumer

“A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions”, — writes Christoph Kerschbaumer.

Firefox has 45 built-in about: service pages, many of which provide access to important technical data. For example, about: config allows the user to change key browser settings, about: memory, he can monitor memory consumption, about: networking displays information about the network.

All of these pages are written in HTML and JavaScript. Therefore, an attacker can try to inject their own code into them, which will then be executed with the same rights that Firefox works with. The exclusion of inline scripts and eval functions blocks such a threat.

Read also: Google has figured out how to force sites switch to HTTPS

Now all JavaScript code will be executed only if it has been downloaded through the browser’s internal protocol. To do this, Mozilla developers rewrote all event handlers and transferred the built-in JavaScript scripts to packed files for all the service pages. In addition, the ability to perform eval and similar functions in the context of any process running with system privileges was excluded.

Specialists have also provided some exceptions to the new rules.

“Some users use an external eval function call to customize Firefox when the browser starts. This replaces it with the userChrome.js component, which was blocked some time ago for security reasons. In this case, the new blocker will allow the execution of eval()”, – explained Christoph Kerschbaumer.

Changes will not affect the display of Internet sites in Firefox. At the same time, developers intend to monito, how potentially dangerous functions are used in third-party extensions and plug-ins. If attackers find a new way to use these commands, the browser will send notifications to the Mozilla security team.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment