Frédéric Wang posted the following comment on bugzilla.mozilla.org about Tor Browser's disabling of MathML. I'm posting it here in case it's useful:
I'm curious to know what was the reasoning to put MathML in that category [Medium-Low] and whether the Mozilla MathML/Security teams should do something to provide more security guarantee on MathML to Tor people.
The "Medium-Low" level seems to only disable features related to executable code (javascript & java) while MathML is essentially a complex rendering of text so it should be treated at the same level as layout, graphics & fonts (e.g. the latest public critical issue I'm aware of is https://www.mozilla.org/en-US/security/advisories/mfsa2014-59/, which is actually really from the "DirectWrite font handling").
The iSEC study does not even mention vulnerability of MathML while it says that "the SVG components have been the host of several exploitable bugs in the past several years" and recommends to "disable at the Low or Medium security level"... but your link says it is only disabled in High mode.
Also, the iSEC study says it rely on the exploit analysis, but a quick search on https://www.mozilla.org/en-US/security returns far less results (two) for MathML than for SVG. And actually a search for "graphite" also returns two crashes too: https://www.mozilla.org/en-US/security/advisories/mfsa2012-64/
Finally, the iSEC study seems to take into account the number of websites using a given feature, but MathML does not seem less popular than graphite or svg opentype fonts.
Here's the original:
https://bugzilla.mozilla.org/show_bug.cgi?id=1173199#c12
On Wed, Jun 10, 2015 at 8:57 AM, Arthur D. Edelstein arthuredelstein@gmail.com wrote:
Frédéric Wang posted the following comment on bugzilla.mozilla.org about Tor Browser's disabling of MathML. I'm posting it here in case it's useful:
I'm curious to know what was the reasoning to put MathML in that category [Medium-Low] and whether the Mozilla MathML/Security teams should do something to provide more security guarantee on MathML to Tor people.
The "Medium-Low" level seems to only disable features related to executable code (javascript & java) while MathML is essentially a complex rendering of text so it should be treated at the same level as layout, graphics & fonts (e.g. the latest public critical issue I'm aware of is https://www.mozilla.org/en-US/security/advisories/mfsa2014-59/, which is actually really from the "DirectWrite font handling").
The iSEC study does not even mention vulnerability of MathML while it says that "the SVG components have been the host of several exploitable bugs in the past several years" and recommends to "disable at the Low or Medium security level"... but your link says it is only disabled in High mode.
Also, the iSEC study says it rely on the exploit analysis, but a quick search on https://www.mozilla.org/en-US/security returns far less results (two) for MathML than for SVG. And actually a search for "graphite" also returns two crashes too: https://www.mozilla.org/en-US/security/advisories/mfsa2012-64/
Finally, the iSEC study seems to take into account the number of websites using a given feature, but MathML does not seem less popular than graphite or svg opentype fonts.