Developers Reduce Firefox Code Injection Exposure

Firefox developer Mozilla said it has removed features from the browser that could have provided an opportunity for code injection attacks.

Developers removed inline scripts from the browser’s about: pages, which display the internal state of the browser, and removed eval() and similar functions, said content security lead Christoph Kerschbaumer.

The browser’s about: pages display information such as installed plug-ins or the state of various browser settings.

But the pages are written using HTML and JavaScript, and as such can be targeted by code injection attacks like any other web page.

Code injection

“If an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user,” Kerschbaumer said in a blog post.

To reduce this risk, the team rewrote all 45 about: pages and moved their JavaScript resources into packaged resources.

That allowed developers to apply stronger content security policies to the pages, which, for instance, prevent injected JavaScript from running.

Instead, the code only runs when loaded from a packaged resource using the internal chrome: protocol, Kerschbaum said.

“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” he wrote.

‘Powerful but dangerous’

Developers have also changed the way JavaScript’s eval() function works in order to decrease the risk from what Kerschbaum called a “powerful but dangerous tool”.

Eval() parses and executes a string in the same security context as itself, introducing a significant attack surface for code injection, he said.

To reduce the risk, the team rewrote all use of eval() and similar functions from system-privileged contexts and from the parent process in the Firefox codebase, as well as adding assertions that disallow the use of eval()-like functions in system-privileged script contexts.

This was in part intended to discourage developers from using the function.

Kerschbaum said Mozilla’s tests unexpectedly found that some users were making use of eval() and other features to customise the browser.

“When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval(),” he wrote.

As part of its ongoing security development Mozilla recently announced a feature called DNS-over-HTTPS (DoH), which is designed to bolster users’ privacy, but said it would not switch the feature on by default for users in the UK.

The UK government had had concerns that DoH could make it more difficult for criminal authorities to track the web usage of suspects.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

2 days ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

2 days ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

2 days ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

3 days ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

3 days ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

3 days ago