Do/did these bugs apply to PM, and is XUL as bad as claimed?

General project discussion

Moderator: satrow

Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-01, 04:06

From this article -

There's more, but this is how it begins -
It was the year 1997, and people thought XML was a great idea. In fact, it was so much better than its warty and unparseable predecessor HTML. While XHTML was the clear winner and successor for great web applications, it was obvious that XML would make a great user interface markup language to create a powerful cross-platform toolkit dialect. This folly marks the hour of birth for XUL. XUL was created as the XML User Interface Language at Netscape (the company that created the origins of the Mozilla source code. Long story. The younger folks might want to read upon Wikipedia or watch the amazing Movie "Code Rush", which is available on archive.org). Jokingly, XUL was also a reference to the classic 1984 movie Ghostbusters, in which an evil deity called Zuul (with a Z) possesses innocent people.

Time went by and XUL did not take off as a widely-recognized standard for cross-platform user interfaces. Firefox has almost moved from XUL and re-implemented many parts in HTML. Aptly named after an evil spirit, we will see that XUL still haunts us today.
Goes on to discuss scripting/injection flaw and mention a couple of CVEs that he says were fixed in FF 56.

Is the 'XUL is dangerous, mixing XML and Javascript bad' vibe I get from this article justified?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-01, 04:16

Well what I am seeing here is that webextensions, webex static themes (perhaps personas), and devtools are perpetually half-baked pieces of shit that can't cope in privileged settings especially mixed with HTML which should have NO place in a chrome level xul document. This likely also includes half the in-content pages that USED to be pure XUL UIs. You do stupid shit and you get ridiculous issues.

Pale Moon 28 was never vulnerable because the fixes were applied before UXP was created.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-01, 04:27

The biggest problem with XUL I've seen so far in the context of making my own extension is how horribly half assed the documentation is. There is no structure to the MDN website, several APIs are missing examples or just have a 'TODO' in place.

Good documentation should have both a glossary - when you know you want to look up a specific API - and a 'how-to' - when you want to accomplish a task and need to know what APIs are involved. MDN is very fragmented in both cases.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-01, 04:43

The real thing you have to accept when doing things like a XUL application is be aware that at the end of the day and despite extra security principles and such that have been added over the years is that there are TWO main scopes.. Chrome privileges and Content privileges. This largely applies in practicality to the difference between what is in a browser element and what is in the UI. The more you blend and mix them the more care you must take. Mozilla is in a situation now where a lot of the basic barriers are broken down to a point where interaction between them just to make their new grand vision work is biting them in the ass. Even their multiprocess model IPC and sandbox can't make up for how they have busted them selves in a security context. All they can do is reduce the attack surface which means.. killing capabilities.

The real shame in this is if they still did stuff the old way.. It would be far more secure in that context. Copying Chrome's way of doing shit UI wise plus getting anything to do everything has actually compromised that.

Moonchild could explain it more percisely.. Granted I know some basics and of course common sense bullshit but I am not a security expert nor do I play one on television.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-01, 05:40

Like I said once earlier, this grand tradition of throwing everything out or shitting on your legacy goes back to Netscape. I look forward to PM becoming what they once were - i.e. the Phoenix era - strictly in terms of upsetting the status quo as Phoenix did with IE6.
Chrome is the new IE6 and Firefox its sidekick despite pretensions otherwise.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24824
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by Moonchild » 2019-10-01, 07:58

Following Chrome that doesn't care about UI scripting security because, get this, they aren't using the same technologies for their UI, is a dangerous path.
The problem with WEs is that they are designed to be content-only. In their design world, running "chrome scripts" doesn't exist, and there is therefore no attack surface. For Mozilla-based browsers, that isn't the case since the same technology to write web pages is used to build the UI, which is where the two scopes Tobin explained come from, each with their own security model. WEs therefore potentially expose chrome scripting because you're mixing scopes. Chrome doesn't have this problems because there is only one scope: untrusted content, where the UI is built with OS-native controls and not XUL.

This doesn't make XUL bad, no matter how some would like to spin it that way, but it makes the decision to make WEs a thing on it bad. There's a very good reason we closed the door on that security nightmare in UXP. Also, as a result of course, any sec bugs and CVEs related to it will be a big N/A.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

van p
Lunatic
Lunatic
Posts: 332
Joined: 2015-11-19, 07:15
Location: Cincinnati, OH, U.S.A.

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by van p » 2019-10-02, 06:41

New Tobin Paradigm wrote:
2019-10-01, 04:43
I am not a security expert nor do I play one on television.
Really? I thought . . . that was you.
Windows 10 Pro x64 v1903 8GB i5-4570 | Pale Moon v28.7.2 x64

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-02, 07:03

Nah, I am inherently unsecure. My tasks involve getting people to things.. Security people's task is to keep people from things.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

van p
Lunatic
Lunatic
Posts: 332
Joined: 2015-11-19, 07:15
Location: Cincinnati, OH, U.S.A.

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by van p » 2019-10-02, 08:23

New Tobin Paradigm wrote:
2019-10-02, 07:03
Nah, I am inherently unsecure. My tasks involve getting people to things.. Security people's task is to keep people from things.
That explains it.
Windows 10 Pro x64 v1903 8GB i5-4570 | Pale Moon v28.7.2 x64

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-02, 08:28

Moonchild wrote:
2019-10-01, 07:58
Following Chrome that doesn't care about UI scripting security because, get this, they aren't using the same technologies for their UI, is a dangerous path.
The problem with WEs is that they are designed to be content-only. In their design world, running "chrome scripts" doesn't exist, and there is therefore no attack surface.
Found this article about malicious web extensions affecting both Chrome and Firefox.
The only browser other than IE(for which last time was perhaps 2004) to set off my antivirus warning has been Chrome. And this when I kept it around only as a last resort if a site didn't work in PM or IE, and the only extension I had there was uBO - I got malicious javascript flagged in the cache directory.
I guess we are immune to this sort of thing on PM, or could something like this be done here too, using the older Jetpack/Bootstrap SDK?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-02, 08:38

Against malicious XUL extensions.. No we aren't immune from them. Application extensions extend the application and thus have all the same rights as the application. But it is your responsibility to ensure you only install and use extensions from developers you trust. As for those provided on the Add-ons Site, they are reviewed initially and then periodically checked. However, if someone abuses our service, actions will be swift and final. I can assure you of that. I have a Dalek Task Force always standing by.

NOW I know this is where the fuckwits who harp on the fake security of WebExtensions will come in.. The only response I have to them is "With great power comes great responsibility". Of course drive-by-downloads are basically impossible and attempts at doing something from a system level have provisions in place so that you are unlikely to ever encounter such a situation. However, if you do, you likely have a much bigger problem on your hands on a total system level than just what XUL extensions get side-loaded into the application by some means.

Be smart. Be mindful. Be careful. The best Anti-Virus/Anti-Malware is a functioning brain. When using one of our Applications remember the unspoken System Requirement: A working brain. If you can't be bothered to think and/or be responsible for your own choices.. By all means use a Chrome or Pseudo-Chrome browser, very few to no pesky choices to get in your way. ;)
Last edited by New Tobin Paradigm on 2019-10-02, 08:49, edited 1 time in total.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1136
Joined: 2015-09-30, 23:02
Location: Lincolnshire.UK.

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by Moonraker » 2019-10-02, 08:48

Indeed less could be better.Obviously pale moon extensions library is not as big as chrome but this is the problem,google has FAR too many extensions and there must be multiple examples of single extensions alone and this in itself is a security problem as google do not vet the extensions properly or if at all.Chrome is an awful browser and really firefox should be in it's position.

This is one of many reasons why i prefer using pale moon as my main browser as the extensions are "useful" and there does not need to be thousands of them.My second browser is seamonkey.
Xenial puppy linux 32-bit.
Tahrpup 6.0.5.32 bit.
Pale moon 28.7.2

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-02, 08:52

I would say out of the 19k in the Firefox back catalog.. Only 2000-3000 of them are useful to someone. A wild guess is about 500 of them are of absolute deal breaking importance to the Pale Moon userbase. Back before Tycho, I did 2 day capture of AUS.. Just the ids from the requests, nothing else was stored and that capture has long since been deleted. in 2016 Pale Moon users were only using a little 5k unique extensions by id globally.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-02, 09:00

As far as I can tell, there has never been any case of a malicious XUL extension pwning the system with the old Firefox either. Of course, back then they actually reviewed them before publishing instead of vice versa.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-02, 09:13

Off-topic:
Web Extensions are so secure, that security through complete obscurity is the new mantra :roll:
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24824
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by Moonchild » 2019-10-02, 09:15

moonbat wrote:
2019-10-02, 09:00
As far as I can tell, there has never been any case of a malicious XUL extension pwning the system with the old Firefox either. Of course, back then they actually reviewed them before publishing instead of vice versa.
You are very wrong. Systems got pwned because of malware extensions. But that's not something that was made big news for obvious reasons.
But, this is why the extension blocklist exists (any why disabling it is a very bad idea) so those extensions can be immediately disabled on all systems where they would pose a threat, regardless of how they are installed into the browser (whether through user mis-action or from a system level).
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-02, 09:28

Moonchild wrote:
2019-10-02, 09:15
You are very wrong. Systems got pwned because of malware extensions. But that's not something that was made big news for obvious reasons.
But, this is why the extension blocklist exists (any why disabling it is a very bad idea) so those extensions can be immediately disabled on all systems where they would pose a threat, regardless of how they are installed into the browser (whether through user mis-action or from a system level).
Was it anything as bad as the driveby downloads that IE6 was famous for? I was a hardcore FF user from 2003-11..don't recall anything during this time that affected Firefox like the ones that do now. Seems to me that dumbing down to cater to the lowest common denominator who will blindly click anything and introducing extension compatibility with Chrome has only benefited malware developers. The older crop of Firefox users using XUL extensions were perhaps a little smarter when it came to installing unknown stuff (and Mozilla had a better review process that wasn't automated like now).
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-02, 09:39

It was more about other applications and installers shoving shitty extensions into global directories in a way users couldn't remove or disable.

Drive-by-Downloads of extensions have, to my knowledge, never actually happened but there may be one case I don't know about.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
moonbat
Astronaut
Astronaut
Posts: 728
Joined: 2015-12-09, 15:45
Location: Australia

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by moonbat » 2019-10-02, 09:46

I don't mean exactly the same as driveby downloads, but something alarming enough that it got press coverage on a comparable scale, courtesy an extension. Like recently there were several cases of malicious copycats of popular extensions (exactly the same problem in Android-land).

AFAIK there was nothing this bad before. All this fear mongering about XUL extensions being able to do things to your system seems exactly that. They talk as though the new permissions based system is a silver bullet when it clearly isn't.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 19.2 Xfce x64 on HP i5 laptop with 4 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6184
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Do/did these bugs apply to PM, and is XUL as bad as claimed?

Unread post by New Tobin Paradigm » 2019-10-02, 12:03

If we hear about it they will be added to the blocklist.. IF they submit them to our Add-ons Site.. They will be EX-TER-MIN-ATED. You know.. The way Mozilla operated for 10 years before they couldn't be bothered.
Image
- Old and insecure for legitimate and reasonable purposes. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

Post Reply