[tor-bugs] #10280 [Firefox Patch Issues]: Torbrowser shouldn't load flash into the process space by default
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 3 23:25:15 UTC 2013
#10280: Torbrowser shouldn't load flash into the process space by default
----------------------------------+---------------------
Reporter: mikeperry | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: | Actual Points:
Parent ID: | Points:
----------------------------------+---------------------
Bobnomnom or some troll who is excellent at impersonating him seems to be
clamoring for blocking all plugins from the Firefox address space,
including flash.
In https://gitweb.torproject.org/tor-
browser.git/commitdiff/efbc82de0af0c6db05804777777b7177e593f73d, we block
everything but flash from entering the address space because it *has* been
shown that arbitrary non-malicious browser plugins *can* be invasive to
privacy. Culprits include AV plugins that report your browsing history to
the AV vendor for inspection, and bank authentication plugins that send
additional identifiable info to sites under certain circumstances.
Note that neither that patch nor the 'plugin.disable' pref are a
comprehensive defense for keeping malicious code out of Firefox's address
space. It really only helps if code is generally well-behaved, but has
some functionality we simply don't want in the browser at all. In the case
of AV plugins, they can seriously manipulate the process address space
during initialization in a way that simply disabling them from the Firefox
UI won't undo. Moreover, in some cases their hooks and binary patches are
so custom-tailored to official Firefox binaries that they have caused
crashes when loaded under TBB. As far as I know, this is not the case for
flash, which follows the NPAPI interface and doesn't do any other binary
patching or hooking.
Truly Malicious code has lots of ways to hoist itself into Firefox,
including but not limited to: writing extensions, XPCOM components, or
DLLs into the Firefox app or profile directories, injecting DLLs via
CreateRemoteThread debugger attachment or the AppInitDLLs registry key,
modifying system DLLs, and watching for desktop keypress and drawing
events.
I don't understand what threat model bob is using to argue for the
additional exclusion of flash. If flash *was* malicious and you had it
installed on your system, it could do all of these things if you ever ran
your normal Firefox browser and it got loaded there. It would then have no
problems using your user privileges to write the malicious portions of
itself into your TBB directory using the above or other vectors.
Perhaps bob can explain the specific issue with flash in this ticket.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10280>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list