[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code

To: undisclosed-recipients:;
Subject: [tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 13 Jun 2012 20:11:31 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 13 Jun 2012 16:11:44 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#6152: Remove Chrome JS direct vectors to arbitrary machine code
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  enhancement           |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:                        |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
 We should consider patching Firefox to remove ways that extension-level JS
 can execute machine code.

 Right now, this includes jsctypes, any ways there might be to load an
 binary XPCOM component from a DLL at runtime (these may have been removed
 with Firefox 4+'s new-style component registration), and maybe the ability
 to launch apps from JS XPCOM.

 I contend this doesn't make much sense to do until we have functional
 sandboxes, though, because simply the ability read and write arbitrary
 files can be used to bootstrap arbitrary code exec eventually.

 It will also break addons that try to use this functionality. Most
 notably, Moxie's Convergence relies on jsctypes.

 However, once sandboxes are deployed, removing these features will block
 the ability of UXSS exploits to directly attack certain system calls. This
 will raise the bar for sandbox breakout for these types of bugs.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6152>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #6151 [TorBrowserButton]: Startpage is blocking searches
Next by Author: Re: [tor-bugs] #5263 [Tor Relay]: Busy/infinite Libevent loops
Previous by thread: Re: [tor-bugs] #6151 [TorBrowserButton]: Startpage is blocking searches
Next by thread: Re: [tor-bugs] #6152 [Firefox Patch Issues]: Remove Chrome JS direct vectors to arbitrary machine code
Index(es):
- Author
- Thread