[tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 19 04:16:21 UTC 2017
#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
------------------------------------------+----------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Per #22966 it sounds like NoScript is not signed with a developer key (the
'updateKey' feature described here: https://developer.mozilla.org/en-US
/Add-ons/Install_Manifests#updateKey )
updateKey allows the extension developer to require updates be signed with
a key only they control. Without it, Mozilla can rewrite extensions and
effectively get arbitrary code execution via an add-on.
There's a few things at play here.
1) We could disable add-on updating all together to mitigate this in 52.
2) In 59, when the only 'full' add-ons are 'system' add-ons we'll need to
figure this out ourselves anywhere. This will probably involve Tor signing
Tor Launcher and TorButton with its own system add-on keys. Dev Tools is
an open question.
3) In 59, when Web Extensions are around this won't be as big of a
concern. Mozilla can't get code execution but could neuter the effect of
an add-on or turn it into spyware (assuming we keep extension updating in
place). Whether web extensions will support an updateKey mechanism is an
open question (they don't now, EFF wants it. Tor might wish to lend
support to the argument. If Tor could get another partner repack to join
in that would help even more I bet.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list