Mozilla to Firefox users: Here's how we're protecting you from code injection attacks

Mozilla cleans up Firefox to cut risk of code injection attacks and deter use of a dangerous JavaScript function.
Written by Liam Tung, Contributing Writer

Firefox-maker Mozilla has detailed its recent efforts to harden the browser against code injection attacks. 

That hardening work has focused on removing "potentially dangerous artifacts" in the Firefox codebase, including inline scripts and eval()-like functions, according to Mozilla's content security lead Christoph Kerschbaumer. 

The removal of inline scripts is meant to improve protection for Firefox's 'about' protocol, more commonly known as about: pages.

SEE: 10 tips for new cybersecurity pros (free PDF)    

There are dozens of these about: pages, which allow users to do things like display networking information, see how the browser is configured, and view installed plug-ins. 

Mozilla had some concerns that attackers could use code injection attacks to abuse the about:config page, which "exposes an API to inspect and update preferences and settings, which allows Firefox users to tailor their Firefox instance to their specific needs", Kerschbaumer explains

These about: pages are written in HTML and JavaScript and therefore share the same security model as normal web pages, which are also vulnerable to code injection attacks. An attacker could inject code into that about: page and then change the browser's configuration settings, for example. 

The two-part response to this security risk was to rewrite all inline event handlers and move all inline JavaScript code to "packaged files" for all 45 of the about: pages. Second, Mozilla set a "strong" Content Security Policy to ensure that injected JavaScript code does not execute. 

Now JavaScript code will only execute when loaded from a packaged resource using the internal chrome: protocol. 

"Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks," notes Kerschbaumer. 

Another hardening effort addresses the eval() function in JavaScript, which Mozilla describes as a "dangerous function" and warns web developers never to use. 

"Eval() is a dangerous function, which executes the code it's passed with the privileges of the caller," Mozilla explains in developer support notes

"If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension. More importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible."

SEE: Mozilla patches Firefox zero-day abused in the wild

Kerschbaumer describes the function as a "powerful yet dangerous tool" that introduces "significant attack surface for code injection, and we discourage its use in favor of safer alternatives".

"We rewrote all use of 'eval()'-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of 'eval()' and its relatives in system-privileged script contexts," he notes. 

The purpose of this measure is to reduce the attack surface in Firefox and further discourage the function's use. 

More on Mozilla and the Firefox browser

Editorial standards