[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution

Subject: [tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 19 Jul 2017 04:16:21 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 19 Jul 2017 00:16:31 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
------------------------------------------+----------------------
     Reporter:  tom                       |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Per #22966 it sounds like NoScript is not signed with a developer key (the
 'updateKey' feature described here: https://developer.mozilla.org/en-US
 /Add-ons/Install_Manifests#updateKey )

 updateKey allows the extension developer to require updates be signed with
 a key only they control. Without it, Mozilla can rewrite extensions and
 effectively get arbitrary code execution via an add-on.

 There's a few things at play here.

 1) We could disable add-on updating all together to mitigate this in 52.

 2) In 59, when the only 'full' add-ons are 'system' add-ons we'll need to
 figure this out ourselves anywhere. This will probably involve Tor signing
 Tor Launcher and TorButton with its own system add-on keys. Dev Tools is
 an open question.

 3) In 59, when Web Extensions are around this won't be as big of a
 concern. Mozilla can't get code execution but could neuter the effect of
 an add-on or turn it into spyware (assuming we keep extension updating in
 place). Whether web extensions will support an updateKey mechanism is an
 open question (they don't now, EFF wants it. Tor might wish to lend
 support to the argument. If Tor could get another partner repack to join
 in that would help even more I bet.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #20361 [Applications/Tor Browser]: Investigate CFI means for usage in Tor Browser
Next by Author: Re: [tor-bugs] #16782 [Core Tor/Tor]: systemd unit file is not compatible with the AppArmorProfile= directive
Previous by thread: Re: [tor-bugs] #22973 [Applications/Tor Browser]: Storage API allows fingerprinting
Next by thread: Re: [tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
Index(es):
- Author
- Thread