The “about” pages in Firefox allow users to view networking information, display browser configurations, and access installed plugins. Through research and observation, the team at Mozilla found that there is a chance for the “about config” page can be abused to launch code injection attacks. Mozilla developers fixed this vulnerability by re-writing inline event handlers and inline JavaScript code for all 45 “about” pages. Mozilla also moved the code to package files. “This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla researchers stated. An additional hardening process was implemented by rewriting the use of eval()-like functions in system privileged contexts and the parent process within Firefox’s codebase.
Analyst Notes
Email and web browsing continue to be the two most common vectors for malware to enter a computer and allow an attacker to have remote control. Attackers continuously research new methods to deliver malware through email and web browsers, while security researchers seek to find the same vulnerabilities and mitigate them through patches. It is important for network defenders to maintain an up-to-date inventory of software and hardware products on their networks, know which versions are in use, and apply security patches as soon as practical.
