Tighter security coming in Firefox 4 – (Including silent updates?)

A new JavaScript engine, HTML5, tabs on top, and a new add-on framework are not the only improvements that users can expect in Firefox 4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.

One of the biggest fixes that’s been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox’s director of development, Jonathan Nightingale. Changing an already-visited link’s colors is one the most-used features of the Web, and it would be catastrophic to prevent that.

Mozilla’s David Baron figured out how to solve the problem with a three-pronged approach that focuses on the user instead of the Web site. His solution limits what aspect of links can be tweaked to color, then "lies" through JavaScript so that although the page queries the link and reports back what it would look like if it was unvisited, the one that Mozilla’s engine draws is the correct one, whether it’s been visited or not. This solution also limits the amount of computation that the rendering engine needs to do, said Nightingale, which allows the focus to remain on the content and reduces the overall "heavy lifting" required to render it properly. "By limiting the link, there’s fewer options for [link exploits that look like] dancing bananas."

Nightingale added that Wednesday’s release of Safari 5.0.1 has incorporated the fix.

Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit.  […]

Other changes in Firefox 4 promise to be less technical. Firefox’s approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome’s automatic updates. "There are updates that we want you to know about, and that you’ll have a choice to install or not, but there’s also updates that we just want to get our security patches out," said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.

CNET Download Blog

Leave a Reply