Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)
Credit to Author: Paul Ducklin| Date: Wed, 29 Jun 2022 16:11:55 +0000
This month’s scheduled Firefox release is out, with the new 102.0 version patching 19 CVE-numbered bugs.
Despite the large number of CVEs, the patches don’t include any bugs already being exploited in the wild (known in the jargon as zero-days), and don’t include any bugs labelled Critical.
Perhaps the most significant patch is the one for CVE-2022-34479, entitled: A popup window could be resized in a way to overlay the address bar with web content.
This bug allows a malicious website to create a popup window and then resize it to overwrite the browser’s own address bar.
Fortunately, this address bar spoofing bug only applies to Firefox on Linux; on other operating systems, the bug apparently can’t be triggered.
As you know, the browser’s own visual components, including the menu bar, search bar, address bar, security alerts, HTTPS padlock icon and more, are supposed to be shielded from manipulation by untrusted web pages rendered by the browser.
These sacrosanct user interface components are known in the jargon as chrome (from which Google’s browser gets its name, in case you were wondering).
Browser chrome is off-limits to web pages for obvious reasons – to prevent bogus websites from misrepresenting themselves as trustworthy.
This means that even though phishing sites often reproduce the look-and-feel of a legitimate website with uncanny precision, they aren’t supposed to be able to trick your browser into presenting them as if they were downloaded from a genuine URL.
Image-based RCEs
Intriguingly, this month’s fixes includes two CVES that have the same bug title, and that permit the same security misbehaviour, even though they’re otherwise unrelated and were found by different bug-hunters.
CVE-2022-34482 and CVE-2022-34482 are both headlined: Drag and drop of malicious image could have led to malicious executable and potential code execution.
As the bug name suggests, these flaws mean that an image file that you save to your desktop by dragging-and dropping it from Firefox could end up saved to disk with an extension such as .EXE
instead of with the more innocent extension you were expecting, such as .PNG
or .JPG
.
Given that Windows annoyingly (and wrongly, in our opinion), doesn’t show you file extensions by default, these Firefox bugs could lead to you to trust the file you just dropped onto your desktop, and therefore to open it without ever being aware of its true filename.
(If you save the file by more traditional means such as Right click > Save Image As…, the full filename, complete with extension, is revealed.)
These bugs aren’t true remote code execution (RCE) vulnerabilities, given that an attacker needs to persuade you to save content from a web page onto your computer and then to open it up from there, but they do make it much more likely that you would launch a malicious file by mistake.
As an aside, we strongly recommend that you tell Windows to show all file extensions, instead of secretly suppressing them, by changing the File name extensions option in File Explorer.
Fixes for Follina!
Last month’s Big Bad Windows Bug was Follina, properly known as CVE-2022-30190.
Follina was a nasty code execution exploit whereby an attacker could send you a booby-trapped Microsoft Office document that linked to a URL starting with the characters ms-msdt:
.
That document would then automatically run PowerShell code of the attacker’s choice, even if all you did was browse to the file in Explorer with the preview pane turned on.
Firefox has weighed in with additional mitigations of its own by essentially “disowning” Microsoft’s proprietary URL schemes starting with ms-msdt:
and other potentially risky names, so they no longer even ask you if you want to process the URL:
The
ms-msdt
,search
, andsearch-ms
protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.
What to do?
Just visit Help > About Firefox to check what version you’re on – you’re looking for 102.0.
If you’re up-to-date then a popup will tell you so; if not, the popup will offer to start the update for you.
If you or your company has stuck to the Firefox Extended Support Release (ESR), which includes feature updates only every few months but delivers security updates whenever needed, you’re looking for ESR 91.11.
Remember that ESR 91.11 denotes Firefox 91 with 11 updates’ worth of security fixes, and because 91+11 = 102, you can easily tell that you’re level with the latest mainstream version as far as security patches are concerned.
Linux and BSD users who have installed Firefox via their distro will need to check with their distro for the needed update.