[tbb-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 19 04:16:21 UTC 2017

#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
     Reporter:  tom                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 Per #22966 it sounds like NoScript is not signed with a developer key (the
 'updateKey' feature described here: https://developer.mozilla.org/en-US
 /Add-ons/Install_Manifests#updateKey )

 updateKey allows the extension developer to require updates be signed with
 a key only they control. Without it, Mozilla can rewrite extensions and
 effectively get arbitrary code execution via an add-on.

 There's a few things at play here.

 1) We could disable add-on updating all together to mitigate this in 52.

 2) In 59, when the only 'full' add-ons are 'system' add-ons we'll need to
 figure this out ourselves anywhere. This will probably involve Tor signing
 Tor Launcher and TorButton with its own system add-on keys. Dev Tools is
 an open question.

 3) In 59, when Web Extensions are around this won't be as big of a
 concern. Mozilla can't get code execution but could neuter the effect of
 an add-on or turn it into spyware (assuming we keep extension updating in
 place). Whether web extensions will support an updateKey mechanism is an
 open question (they don't now, EFF wants it. Tor might wish to lend
 support to the argument. If Tor could get another partner repack to join
 in that would help even more I bet.)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list