[tor-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 19 09:07:07 UTC 2017
#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
--------------------------------------+--------------------------
Reporter: tom | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [ticket:22974 tom]:
> Per #22966 it sounds like NoScript is not signed with a developer key
(the 'updateKey' feature described here: https://developer.mozilla.org/en-
US/Add-ons/Install_Manifests#updateKey )
>
> updateKey allows the extension developer to require updates be signed
with a key only they control. Without it, Mozilla can rewrite extensions
and effectively get arbitrary code execution via an add-on.
>
> There's a few things at play here.
>
> 1) We could disable add-on updating all together to mitigate this in 52.
That's the plan. We'll start with HTTPS-Everywhere (hopefully soon, #10394
is the ticket for that) and do the same with NoScript afterwards.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list