Friday, February 22, 2008

Hooray! Firefox 3 fixes some JavaScript Malware

Today I decided to give the recently released Firefox 3 beta 3 a try because it looks like it has some slick new features. Also there seemed to be a rather large emphasis on security and many of us have been waiting patiently to see how and when Mozilla would address JavaScript malware. According to the release notes much of the newly added security features are directed towards Anti-Phishing, Anti-Malware, and more user friendly SSL. Noble pursuits that I’m sure add value, just not what I’m personally into.

I did notice Firefox added protection against cross-site JSON data leaks, which is the vulnerability my Ajax hacking technique used in GMail 2 years ago. So that’s really good. Next I tested my logged-in detection code and to my amazement it appears Mozilla added the same-origin policy to JavaScript console error messages. Where was this documented!? No matter because this is exactly what I was asking them to add last year. Woot!!! Check out the screenshot below. Thanks Mozilla and move over Stefan, perhaps I am influential after all! :)

The downside is that there’s many more forms of JavaScript malware yet to overcome. Attackers can still can still steal a users browser history (CSS hack), perform Intranet Hacking (port scanning, cross-site printing), and who knows about all DNS Rebinding attacks (I didn’t test). Still progress is thankfully being made. It would really have been nice to see integration of SafeHistory, NoScript, and maybe some semblance of Content-Restrictions. Though I have it on good authority that a project is in the works. We’ll hope for Firefox 4.


Anonymous said...

There is another small security improvement: the single quotation marks are now escaped in URLs in the same way it already happened for double quotation marks. This should stop quite a few XSS vectors.

And you can no longer set document.domain to a TLD like "com" or "" - quite a bunch of popular web sites were careless with document.domain and took a value for it from the URL.

Yousif Yalda said...

Wow, nice find. Firefox has changed in terms of it's superior "Security". Haha, I bet Ronald will get a kick out of this release! Nice post Jeremiah, but they have a long way to go until Firefox becomes more stable in relation to web security.

Jeremiah Grossman said...

@Wladimir, ahh nice. Those are worthwhile fixes. And here I thought they weren't paying any attention to this stuff. Kudos to them!

@Yousif, yep. I guess now many of th webapp hackers will have to step up their game. It'll be getting harder now that the problem is being noticed.

Anonymous said...

Another enhancement (it's in bugzilla, but not sure it's documented elsewhere) is FF3 now has document.domain restrictions on file:// URLs to prevent file:// from having access to entire system/shares (I think it limits effective document.domain to current directory).

This prevents the excessive file:// based trust that allowed Windows based file:// XSS hijacks to do full drive browsing, access other drives on system as well as SMB share invocation with UNC (file://///hostname/share, file://///ip.ip.ip.ip/share or admin shares).

I seem to recall they didn't do this with XSS hijack control in mind (ala my Sage + XSS-Proxy stuff), but it prevents that as well.


Jeremiah Grossman said...

@Anton Rager, thanks for the tip, I'll have to take a look into that. Didn't even notice if that type of protection was introduced. Sounds really good to me.

Anonymous said...

Phishing filter bypass trick also doesn't work in FF3:

Busted in FF3

Anonymous said...

Nice but we'll have to face what kind of new vulnerabilities will be introduced in FF 3.x. Battle never finishes.