I am one of those developers whom surfs the web with “javascript.options.wasm = false” and NoScript to block just about 99% of all websites from running any Javascript on my home-machine unless I explicitly turn it on.
I’ve also worked on various networks where Javascript is just plain turned off and can’t be turned on by regular users. I’ve heard some, sadly confidential, war-stories that have led to these policies. They are similar in nature to what the author states in his Medium-post.
If you want to run something, run it on your servers and get off my laptop, phone, tv or even production-machines. Those are mine and if your website can’t handle it, then your website is simply terrible from a user experience viewpoint, dreadfully inefficient and doomed to come back hunting you when you are already in a bind because of an entirely different customer or issue.
As a consequence of this way of thinking, a few web-driven systems I wrote more than a decade ago, are still live and going strong without a single security incident and without any performance issues while at the same time reaping the benefits of the better hardware they’ve been migrated to over the years.
Therefore it is still my firm belief that a browser is primarily a tool to display content from random URLs I throw at it and not an application platform which executes code from the URLs thrown at it.
That’s a fine and valid viewpoint to have, and you are more than welcome to disable JS. But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself? I don’t really understand what your complaint is.
by the same stretch of logic you could claim any limited subset of functionality is the only things computers should do in the name of varying forms of “security.”
perhaps something like: “The computer is a tool for doing computation not displaying things to me and potentially warping my view of reality with incorrect information or emotionally inflammatory speech. This is why I have removed any form of internet connectivity.”
This is not a bug and it’s not RCE. JavaScript and headers are red herrings here. If you request some URL from a server, you’re going to receive what that server chooses to send you, with or without a browser. There’s a risk in that to be sure, but it’s true by design.
Welcome to browsers. This is literally a core function of how browsers work these days and is completely intended. I’m as much of a security and anti-js advocate as anyone, but this entire post brings down the quality of discussion massively. This is not a “Undetectable Remote Arbitrary Code Execution” by any stretch of the term, you would deservedly get laughed out of the room by every security professional if you said that. Nothing about this is arbitrary code execution, please show me where you run a system command (and please reach out to me with all V8 exploits, I need a new one for research).
I agree with what @callahad@wandering.shop says right away: If you browse to a website. It gives you JavaScript. The browser executes it. That’s by design! Nowadays, the web is specified by W3C and WHATWG as an application platform. You have to accept that the web is not about hypertext anymore.
This is not a bug in Firefox.
Are you saying that these attacks are not possible?
I am saying that this is not specific to Firefox, but inherent to the browser as a concept.
Bugzilla is not a discussion forum.
Indeed this is a bug report.
Ah, here’s where we disagree. I understand that a bug is an ambiguous concept.
This is why we have our Bugzilla etiquette, which also contains a link to Mozilla’s bug writing guidelines.
Furthermore, what you seek to discuss is not specific to Mozilla or Firefox.
True. Several other browsers are affected too, but:
This doesn’t means that it’s not a bug in Firefox
As a browser “built for people, not for profit” I think you are more interested about the topic.
Please elaborate, I am not sure what you mean to imply.
Bugzilla is not a discussion forum. Indeed this is a bug report.
Ah, here’s where we disagree. I understand that a bug is an ambiguous concept. This is why we have our Bugzilla etiquette, which also contains a link to Mozilla’s bug writing guidelines.
I’m pretty serious with netiquette, and I checked your before writing the report.
I’m very sorry if I violated one of your etiquette rule, but honestly I cannot see which one.
Even about Bug writing I tried my best, what exactly I got wrong?
Note that this is not a single RCE, but a whole category of them.
And the problem are not just the JavaScript attacks themselves, but the fact that they can remove all evidences.
Furthermore, what you seek to discuss is not specific to Mozilla or Firefox.
True. Several other browsers are affected too, but:
This doesn’t means that it’s not a bug in Firefox
As a browser “built for people, not for profit” I think you are more interested about the topic.
Please elaborate, I am not sure what you mean to imply.
As a Firefox user (and “evangelist”) from version 0.8 I know Mozilla as a brand that cares about people.
Even the word you used, “people” instead of “users”, has always been inspirational to me.
Now, the issue here is specifically dangerous because not all people live under the same law.
Thus I think (and hope) that Mozilla is more interested to the safety of such people than other browser vendors that are led by profit.
I agree with what @callahad@wandering.shop says right away: If you browse to a website. It gives you JavaScript. The browser executes it. That’s by design! Nowadays, the web is specified by W3C and WHATWG as an application platform. You have to accept that the web is not about hypertext anymore.
I worked (and still work) on such application platform for 20 years, I think I have understood that pretty well.
The point is if such application platform is broken at design level or not.
This is not a bug in Firefox. Are you saying that these attacks are not possible?
I am saying that this is not specific to Firefox, but inherent to the browser as a concept.
Sorry if I ask it again, but I’m pretty dumb.
Are the attacks described in the bug report possible in Firefox, or not?
Here’s the key, I think. Firefox’s implementation of the relevant standards is, as far as we know, correct. The standards themselves are buggy, and should be reported to the relevant standards bodies, not to Mozilla’s bugzilla.
This is just trolling, and I’ll assume you know it. What are you trying to achieve?
Can we expect reports against the Linux kernel and bash because they facilitate inserting a USB stick given by some other party and running a shell script that’s free to read files in your home directory? Against Debian/apt for executing install scripts obtained from user specified package repositories?
It’s true that if you access a website with out using tor and without javascript disabled you can be fingerprinted and served targeted content and your browser may execute the javascript. It is incorrect to report this as a bug in firefox because this is intended behavior. “Remote Arbitrary Code Execution” has a specific definition which this doesn’t fall under. The problem you identified is real but the way you are raising the topic is counterproductive. Also if you randomly make words bold it makes the tone of your post somewhat unhinged.
I spent two hours to write the report in the most clear and polite way (after searching for existing reports and reading the guidelines).
After 30 minutes it was closed as “RESOLVED INVALID” by @freddybwithout saying if the Firefox’s users can be target of these attacks.
As of now, this thread has been flagged as spam 3 times and as off-topic 6 times.
I’ve been defined troll once and given ironic suggestions to disable JavaScript as if I was concerned about my own security.
Undetectable…? You don’t have an automated packet intercept system running on your LAN, replete with fast query UIs for anomaly detection, historical payload inspection, graphical diffs, & checksums? /s
I just don’t see this as a bug. I mean, is that roughly what you think Firefox needs to be providing? Or stop-the-web until everything is secure? I just can’t agree.
If you pull up somebody’s URL [0], you trust to run their code. If they use a CDN, they are trusting the CDN. Transitive trust. That’s how it works. If there are specific CDNs you distrust, specifically block them by domain.
[0] with prior authorization, of course (who doesn’t?!)
Ah, I think I understand what the problem is now. Is it the word Arbitrary?
When security people say “arbitrary code execution” they refer to code of the attacker’s liking.
And in this case, it is far from true!
For example, browsers do not allow web applications to remove local files or read your browser history.
The features we expose to JavaScript undergo a lot of scrutiny. The right term, to describe the web APIs exposed by browsers would be “Turing complete”. That means you can compute any possible mathematical algorithm that can also be described by a Turing machine.
In computer security, “arbitrary code execution” is used to describe an attacker’s ability to execute any command of the attacker’s choice on a target machine or in a target process.
Let’s imagine I’m an attacker: I want to put illegal contents in the browser cache and then post them on a public forum online through the victim browser. Or I want to verify open ports in his computer or lan (this also requires a control of a DNS). Or I want to use the computers of some Chinese people to mine BitCoins to earn something while putting them in throubles.
I could go on for a while…
As I wrote in the bug report, an attacker can easily get control of several victim’s resources like
their IP
their bandwith
their computing power
their RAM
their disk (through browser cache)
Now, I’m not a security expert but to my untrained eye these seem enough resource to carry a wide range of attacks.
It should satisfy enough the “any” qualification in the definition above to make the “arbitrary” qualification appropriate.
For example, browsers do not allow web applications to […] read your browser history.
Mmm, let’s me try, just for fun.
Suppose that I know you (as explained in the bug report, a precondition of the attacks is being able to identify the targets).
I want to know if you visited certain pages.
Can I construct a timing attack against your cache to discover if specific contents are there?
That means you can compute any possible mathematical algorithm that can also be described by a Turing machine.
I think I know what a Turing machine is, but thanks for the recap! ;-)
The problem is that, if the attacker can control a Turing complete interpreter on the victim machine (with access to resources like the one listed above) she is able to construct several attacks that might hurt the victim or a third party. Leaving NO evidences.
In a way, this is an UI issue: mainstream browsers do not make the risks evident and explicit to people.
And the fact that SRI is not yet mandatory for web pages running JavaScript is a bad sign of their own understanding of the matter.
Are the attacks described in the bug report possible in Firefox, or not?
Are Firefox’s users world wide vulnerable to them?
Is not, please explain how Firefox prevent them. In the bug report, because this thread, despite being referenced in a Security Issue of a major browser, has been downvoted so much (-7 off-topic, -3 spam) that most interested developers will never see it.
Otherwise, reopen the bug report and give it a proper priority, thinking about severity of the threat for your users world wide.
Turn off JS then? Isn’t this what a modern browser is by definition? A tool that executes arbitrary code from URLs I throw at it?
I am one of those developers whom surfs the web with “javascript.options.wasm = false” and NoScript to block just about 99% of all websites from running any Javascript on my home-machine unless I explicitly turn it on. I’ve also worked on various networks where Javascript is just plain turned off and can’t be turned on by regular users. I’ve heard some, sadly confidential, war-stories that have led to these policies. They are similar in nature to what the author states in his Medium-post.
If you want to run something, run it on your servers and get off my laptop, phone, tv or even production-machines. Those are mine and if your website can’t handle it, then your website is simply terrible from a user experience viewpoint, dreadfully inefficient and doomed to come back hunting you when you are already in a bind because of an entirely different customer or issue. As a consequence of this way of thinking, a few web-driven systems I wrote more than a decade ago, are still live and going strong without a single security incident and without any performance issues while at the same time reaping the benefits of the better hardware they’ve been migrated to over the years.
Therefore it is still my firm belief that a browser is primarily a tool to display content from random URLs I throw at it and not an application platform which executes code from the URLs thrown at it.
That’s a fine and valid viewpoint to have, and you are more than welcome to disable JS. But as a person who wants to use the web as an application platform, are you suggesting that browsers should neglect people like myself? I don’t really understand what your complaint is.
I don’t think so. But using Web Applications should be opt-in, not opt-out.
by the same stretch of logic you could claim any limited subset of functionality is the only things computers should do in the name of varying forms of “security.”
perhaps something like: “The computer is a tool for doing computation not displaying things to me and potentially warping my view of reality with incorrect information or emotionally inflammatory speech. This is why I have removed any form of internet connectivity.”
This is not a bug and it’s not RCE. JavaScript and headers are red herrings here. If you request some URL from a server, you’re going to receive what that server chooses to send you, with or without a browser. There’s a risk in that to be sure, but it’s true by design.
Turn off your network and you should eliminate the threat. Turn your computer off completely for a safer mitigation.
Welcome to browsers. This is literally a core function of how browsers work these days and is completely intended. I’m as much of a security and anti-js advocate as anyone, but this entire post brings down the quality of discussion massively. This is not a “Undetectable Remote Arbitrary Code Execution” by any stretch of the term, you would deservedly get laughed out of the room by every security professional if you said that. Nothing about this is arbitrary code execution, please show me where you run a system command (and please reach out to me with all V8 exploits, I need a new one for research).
Oh, this is a bit rich: closed by Frederik Braun with a link to this discussion.
I hope he will explain how Firefox prevents those attacks.
Okay, I’ll bite.
I agree with what @callahad@wandering.shop says right away: If you browse to a website. It gives you JavaScript. The browser executes it. That’s by design! Nowadays, the web is specified by W3C and WHATWG as an application platform. You have to accept that the web is not about hypertext anymore.
I am saying that this is not specific to Firefox, but inherent to the browser as a concept.
Ah, here’s where we disagree. I understand that a bug is an ambiguous concept. This is why we have our Bugzilla etiquette, which also contains a link to Mozilla’s bug writing guidelines.
Please elaborate, I am not sure what you mean to imply.
+1! I’m Italian! I’m very tasty! ;-)
I’m pretty serious with netiquette, and I checked your before writing the report.
I’m very sorry if I violated one of your etiquette rule, but honestly I cannot see which one.
Even about Bug writing I tried my best, what exactly I got wrong?
Note that this is not a single RCE, but a whole category of them.
And the problem are not just the JavaScript attacks themselves, but the fact that they can remove all evidences.
As a Firefox user (and “evangelist”) from version 0.8 I know Mozilla as a brand that cares about people.
Even the word you used, “people” instead of “users”, has always been inspirational to me.
Now, the issue here is specifically dangerous because not all people live under the same law.
Thus I think (and hope) that Mozilla is more interested to the safety of such people than other browser vendors that are led by profit.
I worked (and still work) on such application platform for 20 years, I think I have understood that pretty well.
The point is if such application platform is broken at design level or not.
Sorry if I ask it again, but I’m pretty dumb.
Are the attacks described in the bug report possible in Firefox, or not?
Here’s the key, I think. Firefox’s implementation of the relevant standards is, as far as we know, correct. The standards themselves are buggy, and should be reported to the relevant standards bodies, not to Mozilla’s bugzilla.
As far as I know, this is not how WHATWG’s Living Standards work.
Also Mozilla is part of the standard body we are talking about.
This is just trolling, and I’ll assume you know it. What are you trying to achieve?
Can we expect reports against the Linux kernel and bash because they facilitate inserting a USB stick given by some other party and running a shell script that’s free to read files in your home directory? Against Debian/apt for executing install scripts obtained from user specified package repositories?
NOTE: every browser executing JavaScript and honouring HTTP cache controls headers is equally vulnerable.
this isn’t a vulnerability
Are the attacks described in the bug report possible, or not?
this bug report is just an attempt to get more readers for your medium article
I’m seriously concerned by this attitude among IT people.
My question is simple and have a boolean answer.
Are the attacks described in the bug report possible, or not?
It’s true that if you access a website with out using tor and without javascript disabled you can be fingerprinted and served targeted content and your browser may execute the javascript. It is incorrect to report this as a bug in firefox because this is intended behavior. “Remote Arbitrary Code Execution” has a specific definition which this doesn’t fall under. The problem you identified is real but the way you are raising the topic is counterproductive. Also if you randomly make words bold it makes the tone of your post somewhat unhinged.
Can you share with me the exact definition of “Remote Arbitrary Code Execution”?
I’m sorry about that.
I talked about it with a Mozilla developer that told me to fill a bug report at bugzilla.mozilla.org.
An Italian lawyer specialized in IT suggested to do the same.
I spent two hours to write the report in the most clear and polite way (after searching for existing reports and reading the guidelines).
After 30 minutes it was closed as “RESOLVED INVALID” by @freddyb without saying if the Firefox’s users can be target of these attacks.
As of now, this thread has been flagged as spam 3 times and as off-topic 6 times.
I’ve been defined troll once and given ironic suggestions to disable JavaScript as if I was concerned about my own security.
Also, when asked how I would fix the issue I provided plenty of suggestions.
And yet, nobody answered this simple question: are the attacks described there possible?
Are Firefox users around the world vulnerable to them?
But yes, I’m sorry for the tone…
Undetectable…? You don’t have an automated packet intercept system running on your LAN, replete with fast query UIs for anomaly detection, historical payload inspection, graphical diffs, & checksums? /s
I just don’t see this as a bug. I mean, is that roughly what you think Firefox needs to be providing? Or stop-the-web until everything is secure? I just can’t agree.
If you pull up somebody’s URL [0], you trust to run their code. If they use a CDN, they are trusting the CDN. Transitive trust. That’s how it works. If there are specific CDNs you distrust, specifically block them by domain.
[0] with prior authorization, of course (who doesn’t?!)
Ah, I think I understand what the problem is now. Is it the word Arbitrary? When security people say “arbitrary code execution” they refer to code of the attacker’s liking. And in this case, it is far from true! For example, browsers do not allow web applications to remove local files or read your browser history.
The features we expose to JavaScript undergo a lot of scrutiny. The right term, to describe the web APIs exposed by browsers would be “Turing complete”. That means you can compute any possible mathematical algorithm that can also be described by a Turing machine.
Maybe.
I’m not a native English speaker and I do not have a CS degree, so I only borrow from my experience and self-taught knowledge.
According to Wikipedia
Let’s imagine I’m an attacker: I want to put illegal contents in the browser cache and then post them on a public forum online through the victim browser. Or I want to verify open ports in his computer or lan (this also requires a control of a DNS). Or I want to use the computers of some Chinese people to mine BitCoins to earn something while putting them in throubles.
I could go on for a while…
As I wrote in the bug report, an attacker can easily get control of several victim’s resources like
Now, I’m not a security expert but to my untrained eye these seem enough resource to carry a wide range of attacks.
It should satisfy enough the “any” qualification in the definition above to make the “arbitrary” qualification appropriate.
Mmm, let’s me try, just for fun.
Suppose that I know you (as explained in the bug report, a precondition of the attacks is being able to identify the targets).
I want to know if you visited certain pages.
Can I construct a timing attack against your cache to discover if specific contents are there?
I think I know what a Turing machine is, but thanks for the recap! ;-)
The problem is that, if the attacker can control a Turing complete interpreter on the victim machine (with access to resources like the one listed above) she is able to construct several attacks that might hurt the victim or a third party. Leaving NO evidences.
In a way, this is an UI issue: mainstream browsers do not make the risks evident and explicit to people.
And the fact that SRI is not yet mandatory for web pages running JavaScript is a bad sign of their own understanding of the matter.
So, as dumb as I am, I have to ask you again to answer this simple question:
Are Firefox’s users world wide vulnerable to them?
Is not, please explain how Firefox prevent them.
In the bug report, because this thread, despite being referenced in a Security Issue of a major browser, has been downvoted so much (-7 off-topic, -3 spam) that most interested developers will never see it.
Otherwise, reopen the bug report and give it a proper priority, thinking about severity of the threat for your users world wide.
Lobsters is not an appropriate place to troll Firefox security. Stop.
@freddyb I’m sorry about this bizarre thread.
@freddyb would you mind to explain why you suggested to continue the discussion about the issue here?