Firefox 開発者は、コードインジェクション攻撃に対する追加の保護を作成します

Mozilla developers have strengthened Firefox’s protection against code injection attacks by banning the use of inline scripts and eval() functions on browser service pages. Innovations will not allow attackers to execute a malicious command, change browser settings and steal important data.

Both options, which were removed by experts, allow executing code in the context of the application with its privilege level. According to Christoph Kerschbaumer, Mozilla’s technical security manager for content, the new measures are aimed at reducing the potential attack areanow there will be less opportunity for attackers to abuse browser capabilities.

Christoph Kerschbaumer

Christoph Kerschbaumer

“A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions”, — 書きます Christoph Kerschbaumer.

Firefox has 45 built-in about: service pages, many of which provide access to important technical data. 例えば, だいたい: config allows the user to change key browser settings, だいたい: memory, he can monitor memory consumption, だいたい: networking displays information about the network.

All of these pages are written in HTML and JavaScript. したがって, an attacker can try to inject their own code into them, which will then be executed with the same rights that Firefox works with. The exclusion of inline scripts and eval functions blocks such a threat.

こちらもお読みください: Googleはサイトを強制的にHTTPSに切り替える方法を発見した

Now all JavaScript code will be executed only if it has been downloaded through the browser’s internal protocol. これをする, Mozilla developers rewrote all event handlers and transferred the built-in JavaScript scripts to packed files for all the service pages. 加えて, the ability to perform eval and similar functions in the context of any process running with system privileges was excluded.

Specialists have also provided some exceptions to the new rules.

“Some users use an external eval function call to customize Firefox when the browser starts. This replaces it with the userChrome.js component, which was blocked some time ago for security reasons. この場合, the new blocker will allow the execution of eval()」, – explained Christoph Kerschbaumer.

Changes will not affect the display of Internet sites in Firefox. 同時に, developers intend to monito, how potentially dangerous functions are used in third-party extensions and plug-ins. If attackers find a new way to use these commands, the browser will send notifications to the Mozilla security team.



セキュリティエンジニア, リバースエンジニアリングとメモリフォレンジック