Hardening Firefox to prevent Injection Attacks


Mozilla has made some efforts recently to harden the Firefox browser against code injection attacks. This was made possible by removing “potentially dangerous artifacts” in the Firefox codebase that includes inline scripts and eval()-like functions.

The inline scripts are removed to improve protection for Firefox’s ‘about’ protocol which are more commonly known as about: pages. There are several of these about: pages, that permits users to do things like display networking information, see how the browser is configured, and view installed plug-ins.

Mozilla’s content security lead Christoph Kerschbaumer explians that they had some concerns that attackers could use code injection attacks to abuse the about:config page, which “exposes an API to inspect and update preferences and settings, which allows Firefox users to tailor their Firefox instance to their specific needs.

These about: pages are written in HTML and JavaScript and therefore share the same security model as normal web pages, which are also vulnerable to code injection attacks. An attacker could inject code into that about: page and then change the browser’s configuration settings, for example.

The two-part response to this security risk was to rewrite all inline event handlers and move all inline JavaScript code to “packaged files” for all 45 of the about: pages. Second, Mozilla set a “strong” Content Security Policy to ensure that injected JavaScript code does not execute.

Now JavaScript code will only execute when loaded from a packaged resource using the internal chrome: protocol.

By not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks.

Another effort was to address the eval() function in JavaScript, which is described by Mozilla as a “dangerous function” and warns web developers never to use. It executes the code it’s passed with the privileges of the caller.

When you run eval() with a string that could be affected by a malicious party, it may result in running malicious code on the user’s machine with the permissions of your webpage / extension. Also, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible.”

This function is considered as a “powerful yet dangerous tool” that introduces significant attack surface for code injection, and it is always discouraged to use in favor of safer alternatives.

All use of ‘eval()’-like functions has been rewritten from system privileged contexts and from the parent process in the Firefox codebase.

The main aim of this measure is to reduce the attack surface in Firefox and further discourage the function’s use.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Pitney Bowes hit by cyber attack

    Previous article

    Adobe Releases Security Patches for 82 Flaws

    Next article

    You may also like

    More in Privacy


    Leave a reply

    Your email address will not be published. Required fields are marked *