Mozilla Cuts Down Risk of Code Injection Attacks for Firefox Users

• This hardening process involves removing potentially dangerous artifacts in the codebase.
• It includes rewriting the whole inline scripts and eval()-like functions.

Firefox-maker Mozilla has detailed a proven way to counter code injection attacks. This hardening process involves removing potentially dangerous artifacts in the codebase, including inline scripts and eval()-like functions.

What is the issue?

The removal of inline scripts enhances the security of Firefox’s ‘about’ protocol, more commonly known as ‘about:’ pages. There are several such ‘about:’ pages that allow users to do things like display networking information, see how the browser is configured and view installed plugins.

Mozilla had raised concern that attackers could abuse the ‘about: config’ page to launch code injection attacks.

“Such about: pages provide an interface to reveal internal state of the browser. Most prominently, about:config, which exposes an API to inspect and update preferences and settings which allows Firefox users to tailor their Firefox instance to their specific needs,” explained researchers in a blog post.

How is it tackled?

Mozilla noted that it rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all of the 45 ‘about:’ pages in Firefox. This enabled to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’.

“This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” researchers added.

What other measures are taken?

Another hardening process was implemented by rewriting all use of 'eval()'-like functions from system privileged contexts and from the parent process in the Firefox codebase. However, Mozilla describes it as a ‘dangerous function’ and warns web developers never to use it.

"If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage/extension. More importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible," researchers noted.