How serious are security alerts?

General project discussion
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
person45
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2017-10-20, 07:00

How serious are security alerts?

Post by person45 » 2020-01-12, 22:13

There was an exploit in the JIT compiler that was a "type confusion". Does this mean that an .exe file can pretend to be a jpg file? Will Pale Moon then open it?

Will Windows' User Account Control give me a prompt to block it?

Update: "when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion."

Apparently it doesn't mean file types but "objects" in code. Can a malicious person make Pale Moon automatically download and install a virus? What exactly is going on here?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-12, 23:02

What you quoted is the type of problem this actively exploited vulnerability used.
The 'type confusion" is about what kind of data is stored in a specific block of memory. This can lead to problems, for example if something is written to that memory that isn't the wrong type and doesn't fit in the designated space for that type (a string of characters for example needs more space than a number).
Without going in too much technical detail, this kind of problem can lead to the program crashing in such a way that it could lead to the execution of code that a malicious person pushed to the browser via a web page; that code would be executed with the same rights as the browser program itself and could therefore lead to the downloading and installation of malware with the same rights as the browser's native program code.

In this case, to answer your question in the topic title, the alert was extremely serious because the vulnerability in question had "evidence of being actively exploited" meaning there were malicious persons out there that had taken this beyond a theoretical exploit and actually used it in practice in a malicious way. The same day this vulnerability became known to the browser vendors, the issue was already being used maliciously, hence the term "0-day".

It is therefore incredibly important that everyone updates their browsers immediately. This also goes out to everyone still hanging on to Firefox 52-ESR for legacy extension use: You are vulnerable if you continue using it! Mozilla will not provide a fix for this exploit in that ESR and I suggest in that case that you try Basilisk instead which would give you an almost exactly equal experience as Firefox 52-ESR, but with it building on a safe and patched platform.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

person45
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-12, 23:40

Thanks for the info.

Would the malicious code be allowed through a firewall under the name "palemoon.exe"?

Or would the code be intercepted and considered to be a newly opened program?

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2187
Joined: 2015-12-09, 15:45

Re: How serious are security alerts?

Post by moonbat » 2020-01-12, 23:56

It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 20 Xfce x64 on HP i5 laptop with 12 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 00:24

moonbat wrote:
2020-01-12, 23:56
It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.
*sigh* This is not the kind of type confusion this particular exploit was about. Not "file type confusion" but "code object type confusion" in actual C++ code.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

person45
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-13, 01:05

moonbat wrote:
2020-01-12, 23:56
It has nothing to do with firewalls.
I was thinking that since the firewall rule allows specifically "palemoon.exe" access to the internet, would there be a way to add another rule to block the malicious code?

If it's all considered the same process under windows task manager, then a basic firewall won't be able to stop the extra code, right?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 01:09

A firewall won't help you for this kind of thing; the malicious code would be executed as part of Pale Moon's process.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

person45
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-13, 09:08

Is it possible for some sort of hash check to ensure the integrity of the core engine?

I'm guessing this would slow down performance if Pale Moon has to guard itself when visiting every website.

I appreciate your fast responses. I'm sorry for the newbie questions taking up your time. I can imagine it's like an automotive engineer talking to a customer, when it should be the local mechanic who handles these things.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 09:18

person45 wrote:
2020-01-13, 09:08
Is it possible for some sort of hash check to ensure the integrity of the core engine?
Not possible. With this kind of vulnerability, all this happens in memory and the actual core engine isn't changed.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

person45
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-13, 09:26

https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."

Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2187
Joined: 2015-12-09, 15:45

Re: How serious are security alerts?

Post by moonbat » 2020-01-13, 09:35

person45 wrote:
2020-01-13, 09:26
https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."

Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?
I saw that comment, he's confusing this problem with multiprocess browsing (i.e. spawning a separate process for every new tab that is opened) that Chrome introduced. Firefox has implemented the same, so he is incorrect in that statement.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 20 Xfce x64 on HP i5 laptop with 12 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 09:58

What they refer to is multi-process browsing and process sandboxing, which Firefox also employs (Electrolysis), and it's clear that that did not stop this vulnerability! A similar issue in Blink would be just as critical.
It's nice to spin this into a PR push of course, but they should stop trying to kick the puppy.
On top, multi-process browsing itself exposes a much larger attack surface internally because all data has to be passed back and forth between processes through a messaging system (IPC). For the record, Mozilla has had to patch over 75 electrolysis-specific security vulnerabilities (marked as such and only insofar I have marked them when auditing sec bugs) since they introduced it, most of which were high or critical security rating... I'm gathering for Chrome it would be the same.

If you want to talk about type confusion issues, that risk is much greater when using IPC because the sending and receiving end are disconnected and what in a single process would be one variable of one type (and confusion therefore isn't possible since it's literally the same object) needs an exact match in the content and master process or you'd have the same issue (in the master process, meaning with elevated privilege).

I hope you can still follow all this :)
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2187
Joined: 2015-12-09, 15:45

Re: How serious are security alerts?

Post by moonbat » 2020-01-13, 10:17

I saw the rest of that thread - all claiming that moving their code from C++ to Rust will fix all these problems :roll:

If it ain't broke..
Off-topic:
Meanwhile, I've been going through XUL/XPCOM documentation or what's left of it - and it is a disgrace that in more than a decade they couldn't hire anyone competent to complete the damn thing, let alone structure it properly while tilting at windmills with dozens of now defunct projects in addition to this whole Rust and e10s.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 20 Xfce x64 on HP i5 laptop with 12 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 10:32

moonbat wrote:
2020-01-13, 10:17
moving their code from C++ to Rust will fix all these problems
It won't. Rust is not a magic wand to fix bad coding or mistakes. In fact, Rust isn't strongly-typed and the moment you have inferred types, this very same problem can occur.
Also, I don't think Rust is at all suitable to implement any sort of fast paths that require the low-level gritty but raw power of C++ and assembler. A JavaScript interpreter/compiler written in Rust? A laughable idea, I think.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1500
Joined: 2015-09-30, 23:02
Location: uk.

Re: How serious are security alerts?

Post by Moonraker » 2020-01-13, 10:51

Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.
Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.
Xenial puppy linux 32-bit.

Pale moon 28.9.3

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2187
Joined: 2015-12-09, 15:45

Re: How serious are security alerts?

Post by moonbat » 2020-01-13, 12:12

Moonraker wrote:
2020-01-13, 10:51
Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.
They have, that was what they called 'Electrolysis' or e10s, and the reason given for dropping XUL. Firefox has been multi-process like Chrome for a while, but I guess their codebase must be a mess now from the drastic changes, to say nothing of this move to Rust.
Moonchild wrote:
2020-01-13, 10:32
A JavaScript interpreter/compiler written in Rust? A laughable idea, I think.
Doing everything with Javascript is the new fashion these days - combined with using the browser for everything, which seems to be why they're throwing everything and the kitchen sink into the HTML standard from Dolby sound to gamepad support to VR.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 20 Xfce x64 on HP i5 laptop with 12 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1257
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: How serious are security alerts?

Post by Isengrim » 2020-01-13, 12:58

Moonraker wrote:
2020-01-13, 10:51
Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.
I am a Linux user and I would not take that chance.
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 13:13

Moonraker wrote:
2020-01-13, 10:51
Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.
Definitely not safe to assume that. In fact, by far the biggest volume of crashes has been on mobile (Fennec on Android) according to the bug stats, so what is safe to assume is that this was actively exploited on all platforms with heavy bias towards *nix-like.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2187
Joined: 2015-12-09, 15:45

Re: How serious are security alerts?

Post by moonbat » 2020-01-13, 13:16

Moonchild wrote:
2020-01-13, 13:13
Definitely not safe to assume that. In fact, by far the biggest volume of crashes has been on mobile (Fennec on Android) according to the bug stats, so what is safe to assume is that this was actively exploited on all platforms with heavy bias towards *nix-like.
Oh crap. I just switched to Fennec on my phone a few days ago. They'll take their own time to patch it, looks like. Current version says 68, but I don't know if it's in sync with desktop Firefox.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Linux Mint 20 Xfce x64 on HP i5 laptop with 12 GB RAM, always latest versions of PM & Basilisk unless specified.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27933
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 14:22

moonbat wrote:
2020-01-13, 13:16
Current version says 68, but I don't know if it's in sync with desktop Firefox.
It's fixed in 68.4.1
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Locked