
Arbitrary code execution through unsanitized browser UI - weinzierl
https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/
======
orf
Well, here is the patch with a relevant test:
[https://reviewboard.mozilla.org/r/215474/diff/3#index_header](https://reviewboard.mozilla.org/r/215474/diff/3#index_header)

Seems to create an iFrame, sets the source to
"chrome://global/content/win.xul", then creates a div (with a NS) inside it
and sets the content to:

    
    
       <a onclick="foo()" href="javascript:foo"><script>bar()<\/script>Meh.</a><a href="http://foo/"></a>
    

The expected results is the div contents is:

    
    
       <a>Meh.</a><a href="http://foo/"></a>

~~~
gsnedders
Nah, that test relies on being run with chrome privileges. Firefox refuses to
even load such a page within an iframe ordinarily.

------
RcouF1uZ4gsC
With regards to severe vulnerabilities such as arbitrary code execution, does
anyone have an idea of the status of the major browsers (chrome, edge, safari,
firefox). What are the relative rankings of these in terms of security?

~~~
quotheth
There is no universal metric for security.

What I will say is that Edge and Firefox are doing an excellent job - I'm
really impressed. Chrome is still the safest browser today, in my opinion.

Site isolation, which was released recently, is a really great example of how
far ahead they are - site isolation is at least 3, maybe 4 years in the
making. That's serious work.

They have had an excellent bounty program. They have project 0 doing advanced
offensive research, much of which has been relevant to browsers.

They fuzz a ton and have managed to solicit others to do the same (not that
other browsers don't/ haven't).

Their sandbox is incredible and constantly evolving. They basically invented
seccomp v2 just to improve their sandboxing stature _on linux_. They
implemented 'forceaslr' before EMET was even a thing to help prevent info
leaks from third party libs.

Their new kernel32.dll unloading mitigation is awesome, and as far as I know
the first instance of such a thing.

I could really go on and on, I'm sure - they have taken incredible proactive
measures and they're just getting better at it.

We can see similar growth in Edge, which has had a sandbox for years. Firefox
has more recently gotten a sandbox and the move to rust is encouraging.

But... yeah, in my opinion, Chrome takes the cake.

~~~
pcwalton
Note that Site Isolation isn't on by default, and I still don't know what
they're going to do about sites that contain hundreds of cross-domain iframes.

~~~
quotheth
My point with site isolation was more their continued effort to push
interesting, compelling security improvements. Currently, from a corp
perspective, enabling site isolation for internal high security websites (SSO
pages etc) is possible with GPO and a big win imo.

Please don't take it the wrong way, I think Firefox is awesome too :)

------
MarkSweep
The bugzilla bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1432966](https://bugzilla.mozilla.org/show_bug.cgi?id=1432966)

It sounds like Firefox sometimes injects untrusted HTML into the browser
chrome.

------
matheist
How would an attacker have used this vulnerability? It seems to me that they'd
already have to be able to inject code into the chrome context, to be able to
point it towards content they control. Maybe I misunderstand how this works.

------
duozerk
This is the kind of advisory that comfort me in my choice to use ESR; browsers
are so critical security-wise that it just seems safer. Although if everyone
did that nobody would test new features I guess.

------
riccardoforina
It's funny though how a security related page is insecure because of a
misconfigured third party js.

[https://imgur.com/a/CBftH](https://imgur.com/a/CBftH)
[https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fadmin.br...](https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fadmin.brightcove.com%2Fjs%2FBrightcoveExperiences.js)

------
forgotmypw
Are any of these fixes being backported to 56.x? I am not ready to upgrade to
57+ yet.

~~~
orf
Immediately stop using 56, downgrade to the LTS or upgrade to 57. 56 is _not_
secure and there are a bunch of vulnerabilities in it.

Offtopic: I get the feeling a fair few HN readers don't keep their browsers up
to date for whatever reason. It's troubling, seeing as this is a very
technical and presumably security-conscious audience.

~~~
danjoc
>Immediately stop using 56, downgrade to the LTS or upgrade to 57

58 is the fixed version.

>I get the feeling a fair few HN readers don't keep their browsers up to date
for whatever reason.

That's because 57 was a complete dumpster fire. It broke all the add ons.
Little wonder people would not update. I was a happy FF user for years. My
solution was to dump FF and move on, but I know there are still a lot of
people clinging to 56/52 like debris from a shipwreck. Anyone who points this
out is granted invisibility powers on HN, so I can see how you would be
unaware of this.

~~~
blacksmith_tb
It broke add-ons that weren't being maintained, primarily. It's true that for
some users, this would be very unpleasant, but I have five extensions working
fine here in 59.0b5 (including important security/usability ones like uBlock
Origin and Stylus).

~~~
Khoth
That's not my experience. The addons I use that it broke were all being
maintained, but FF57 didn't provide any API to replace what they were using
before, so their authors reluctantly abandoned them or provided limited,
crippled versions that don't work properly.

------
eat_veggies
Does this affect the Tor browser's ancient version of Firefox?

~~~
jwilk
Tor Browser is based on Firefox 52 ESR. From the article:

 _This issue did not affect […] Firefox 52 ESR._

------
sounds
Mods, could we maybe point the URL to the Mozilla Security Advisory?

[https://www.mozilla.org/en-
US/security/advisories/mfsa2018-0...](https://www.mozilla.org/en-
US/security/advisories/mfsa2018-05/)

This bug is fixed in Firefox 58.0.1.

~~~
sctb
Sure thing! We've updated the link from
[https://tools.cisco.com/security/center/viewAlert.x?alertId=...](https://tools.cisco.com/security/center/viewAlert.x?alertId=56610).

