Mozilla developers have strengthened Firefox’s protection against code injection attacks by banning the use of inline scripts and eval() functions on browser service pages. Innovations will not allow attackers to execute a malicious command, change browser settings and steal important data.
Both options, which were removed by experts, allow executing code in the context of the application with its privilege level. According to Christoph Kerschbaumer, Mozilla’s technical security manager for content, the new measures are aimed at reducing the potential attack area – now there will be less opportunity for attackers to abuse browser capabilities.
Christoph Kerschbaumer
“A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions”, — пише Christoph Kerschbaumer.
Firefox has 45 built-in about: service pages, many of which provide access to important technical data. For example, приблизно: config allows the user to change key browser settings, приблизно: memory, he can monitor memory consumption, приблизно: networking displays information about the network.
All of these pages are written in HTML and JavaScript. Therefore, an attacker can try to inject their own code into them, which will then be executed with the same rights that Firefox works with. The exclusion of inline scripts and eval functions blocks such a threat.
Читайте також: Google has figured out how to force sites switch to HTTPS
Now all JavaScript code will be executed only if it has been downloaded through the browser’s internal protocol. Зробити це, Mozilla developers rewrote all event handlers and transferred the built-in JavaScript scripts to packed files for all the service pages. В додаток, the ability to perform eval and similar functions in the context of any process running with system privileges was excluded.
Specialists have also provided some exceptions to the new rules.
“Some users use an external eval function call to customize Firefox when the browser starts. This replaces it with the userChrome.js component, which was blocked some time ago for security reasons. In this case, the new blocker will allow the execution of eval()», – explained Christoph Kerschbaumer.
Changes will not affect the display of Internet sites in Firefox. В той самий час, developers intend to monito, how potentially dangerous functions are used in third-party extensions and plug-ins. If attackers find a new way to use these commands, the browser will send notifications to the Mozilla security team.
Залишити коментар