How serious are security alerts?

[person45]

There was an exploit in the JIT compiler that was a "type confusion". Does this mean that an .exe file can pretend to be a jpg file? Will Pale Moon then open it?

Will Windows' User Account Control give me a prompt to block it?

Update: "when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion."

Apparently it doesn't mean file types but "objects" in code. Can a malicious person make Pale Moon automatically download and install a virus? What exactly is going on here?

[Moonchild]

What you quoted is the type of problem this actively exploited vulnerability used.
The 'type confusion" is about what kind of data is stored in a specific block of memory. This can lead to problems, for example if something is written to that memory that isn't the wrong type and doesn't fit in the designated space for that type (a string of characters for example needs more space than a number).
Without going in too much technical detail, this kind of problem can lead to the program crashing in such a way that it could lead to the execution of code that a malicious person pushed to the browser via a web page; that code would be executed with the same rights as the browser program itself and could therefore lead to the downloading and installation of malware with the same rights as the browser's native program code.

In this case, to answer your question in the topic title, the alert was extremely serious because the vulnerability in question had "evidence of being actively exploited" meaning there were malicious persons out there that had taken this beyond a theoretical exploit and actually used it in practice in a malicious way. The same day this vulnerability became known to the browser vendors, the issue was already being used maliciously, hence the term "0-day".

It is therefore incredibly important that everyone updates their browsers immediately. This also goes out to everyone still hanging on to Firefox 52-ESR for legacy extension use: You are vulnerable if you continue using it! Mozilla will not provide a fix for this exploit in that ESR and I suggest in that case that you try Basilisk instead which would give you an almost exactly equal experience as Firefox 52-ESR, but with it building on a safe and patched platform.

[person45]

Thanks for the info.

Would the malicious code be allowed through a firewall under the name "palemoon.exe"?

Or would the code be intercepted and considered to be a newly opened program?

[moonbat]

It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.

[Moonchild]

It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.

*sigh* This is not the kind of type confusion this particular exploit was about. Not "file type confusion" but "code object type confusion" in actual C++ code.

[person45]

It has nothing to do with firewalls.

I was thinking that since the firewall rule allows specifically "palemoon.exe" access to the internet, would there be a way to add another rule to block the malicious code?

If it's all considered the same process under windows task manager, then a basic firewall won't be able to stop the extra code, right?

[Moonchild]

A firewall won't help you for this kind of thing; the malicious code would be executed as part of Pale Moon's process.

[person45]

Is it possible for some sort of hash check to ensure the integrity of the core engine?

I'm guessing this would slow down performance if Pale Moon has to guard itself when visiting every website.

I appreciate your fast responses. I'm sorry for the newbie questions taking up your time. I can imagine it's like an automotive engineer talking to a customer, when it should be the local mechanic who handles these things.

[Moonchild]

Is it possible for some sort of hash check to ensure the integrity of the core engine?

Not possible. With this kind of vulnerability, all this happens in memory and the actual core engine isn't changed.

[person45]

https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."

Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?

[moonbat]

https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."

Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?

I saw that comment, he's confusing this problem with multiprocess browsing (i.e. spawning a separate process for every new tab that is opened) that Chrome introduced. Firefox has implemented the same, so he is incorrect in that statement.

[Moonchild]

What they refer to is multi-process browsing and process sandboxing, which Firefox also employs (Electrolysis), and it's clear that that did not stop this vulnerability! A similar issue in Blink would be just as critical.
It's nice to spin this into a PR push of course, but they should stop trying to kick the puppy.
On top, multi-process browsing itself exposes a much larger attack surface internally because all data has to be passed back and forth between processes through a messaging system (IPC). For the record, Mozilla has had to patch over 75 electrolysis-specific security vulnerabilities (marked as such and only insofar I have marked them when auditing sec bugs) since they introduced it, most of which were high or critical security rating... I'm gathering for Chrome it would be the same.

If you want to talk about type confusion issues, that risk is much greater when using IPC because the sending and receiving end are disconnected and what in a single process would be one variable of one type (and confusion therefore isn't possible since it's literally the same object) needs an exact match in the content and master process or you'd have the same issue (in the master process, meaning with elevated privilege).

I hope you can still follow all this

[moonbat]

I saw the rest of that thread - all claiming that moving their code from C++ to Rust will fix all these problems

If it ain't broke..

Off-topic:
Meanwhile, I've been going through XUL/XPCOM documentation or what's left of it - and it is a disgrace that in more than a decade they couldn't hire anyone competent to complete the damn thing, let alone structure it properly while tilting at windmills with dozens of now defunct projects in addition to this whole Rust and e10s.

[Moonchild]

moving their code from C++ to Rust will fix all these problems

It won't. Rust is not a magic wand to fix bad coding or mistakes. In fact, Rust isn't strongly-typed and the moment you have inferred types, this very same problem can occur.
Also, I don't think Rust is at all suitable to implement any sort of fast paths that require the low-level gritty but raw power of C++ and assembler. A JavaScript interpreter/compiler written in Rust? A laughable idea, I think.

[Moonraker]

Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.
Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.

[moonbat]

Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.

They have, that was what they called 'Electrolysis' or e10s, and the reason given for dropping XUL. Firefox has been multi-process like Chrome for a while, but I guess their codebase must be a mess now from the drastic changes, to say nothing of this move to Rust.

A JavaScript interpreter/compiler written in Rust? A laughable idea, I think.

Doing everything with Javascript is the new fashion these days - combined with using the browser for everything, which seems to be why they're throwing everything and the kitchen sink into the HTML standard from Dolby sound to gamepad support to VR.

[Isengrim]

Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.

I am a Linux user and I would not take that chance.

[Moonchild]

Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.

Definitely not safe to assume that. In fact, by far the biggest volume of crashes has been on mobile (Fennec on Android) according to the bug stats, so what is safe to assume is that this was actively exploited on all platforms with heavy bias towards *nix-like.

[moonbat]

Definitely not safe to assume that. In fact, by far the biggest volume of crashes has been on mobile (Fennec on Android) according to the bug stats, so what is safe to assume is that this was actively exploited on all platforms with heavy bias towards *nix-like.

Oh crap. I just switched to Fennec on my phone a few days ago. They'll take their own time to patch it, looks like. Current version says 68, but I don't know if it's in sync with desktop Firefox.

[Moonchild]

Current version says 68, but I don't know if it's in sync with desktop Firefox.

It's fixed in 68.4.1