[tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jun 13 20:11:31 UTC 2012
#6152: Remove Chrome JS direct vectors to arbitrary machine code
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
We should consider patching Firefox to remove ways that extension-level JS
can execute machine code.
Right now, this includes jsctypes, any ways there might be to load an
binary XPCOM component from a DLL at runtime (these may have been removed
with Firefox 4+'s new-style component registration), and maybe the ability
to launch apps from JS XPCOM.
I contend this doesn't make much sense to do until we have functional
sandboxes, though, because simply the ability read and write arbitrary
files can be used to bootstrap arbitrary code exec eventually.
It will also break addons that try to use this functionality. Most
notably, Moxie's Convergence relies on jsctypes.
However, once sandboxes are deployed, removing these features will block
the ability of UXSS exploits to directly attack certain system calls. This
will raise the bar for sandbox breakout for these types of bugs.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6152>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list