Firefox i Tor browser dotknięte krytyczną luką - ocena 9.8/10 (film, 5m)

Last week, we talked about a major exploit discovered in the Chromium-based ARC browser, and all the smart people in the comments were like, Thank God I use Firefox. Unfortunately, the turns have tabled, and now another 9.8 critical vulnerability has crashed into a second browser, this time Firefox. And this time, it's been actively exploited in the wild. Now, before you go in the comments and say, Thank God I use Tor, it even affects everybody out there doing totally not illegal stuff on the Tor browser, which itself is Firefox-based. This time though, it wasn't a silly mistake involving a misconfigured Firebase security rule, but rather a use-after-free flaw on their implementation of the CSS animation timeline property. They left a pointer dangling, which is far more difficult to detect and audit, and in this case, could be used by bad guys to take full control of your browser, with remote code execution. If you're running one of these Firefox versions, you're probably already dead, but if not, you'll want to update immediately. In today's video, you'll learn all about the interesting and terrifying world of use-after-free exploits. It is October 15th, 2024, and you're watching The Code Report. Before we get started though, I have some other bad news for internet browser users, specifically those on Chrome using uBlock Origin, or any other ad blocker for that matter. We all knew this day was coming, but shots were fired yesterday when this ominous message appeared on the plugin's install page, warning users that uBlock's execution date is drawing near. Now, this is all part of a grand conspiracy to get you to watch ads and be happy, and Google is achieving that by updating the manifest for plugins from version 2 to version 3, which eliminates the web request API, where plugins can see all the incoming network requests, so they can block all the garbage from known ad servers. I made a video on this a while ago if you want all the details, but now let's get back to Firefox. Slovakian company ESET has been credited with discovering and reporting the vulnerability, where an attacker is able to achieve code execution by exploiting a use-after-free flaw in the CSS animation timeline. I use the animation timeline all the time to create scroll animations on websites that nobody asked for, and never would have expected it to be an attack vector, but to understand why this is so bad, we need to understand what use-after-free actually means. Exploits like this have affected all the other browsers, including Chrome and Safari, and use-after-free was even responsible for the iOS jailbreak of 2019. The Firefox browser is free and open source, but you won't find it on GitHub. Its code is actually self-hosted and uses Mercurial for version control. It's primarily written in C++, although more and more of its code is now being written in Rust, a language that was created by a software engineer at Mozilla. Firefox itself contains over 30 million lines of code, because building a browser is extremely complex. At a high level, here's how a use-after-free flaw could be introduced. In the C code, let's imagine we need to allocate some memory for a value. To achieve that, we create a pointer, and then use malloc to allocate memory for it. From there, we can assign a value to it, and use it in our program to do something useful, like in the case of Firefox, render an animation. At some later point, when we no longer need that memory, we'll want to deallocate it with free. But now we have a problem called a dangling pointer. The memory is free, but the pointer itself still exists, and is now being used in our code with undefined behavior. If an attacker can figure out how to get some malicious code into that memory, it can cause the program to crash, or even worse, remote code execution. Now, this could be easily fixed by setting the pointer to null or a different object, but in the case of Firefox, the issue is likely a lot more complex and above my paygrade. It's still being analyzed, so there's not a ton of detail, but Mozilla stated that they have had reports of the vulnerability being exploited in the wild. The good news, though, is that it's completely fixed, and it doesn't appear anything catastrophic has happened. In addition, if you're using the anonymous Tor browser, an attacker could take control of your browser, but probably not totally de-anonymize you, assuming you're on Tails OS, which recently merged with the Tor browser as one project. Now, another browser that was affected by all this is Zen, which is an awesome open-source project based on Firefox. They quickly updated to the fixed version, but it just goes to show how one little flaw can affect a lot of downstream projects. But if your goal is to write robust, bulletproof code, you'll need to start with computer science fundamentals, and you can start doing that today for free thanks to this video's sponsor, Brilliant. Their quick, rewarding interactive lessons will help you build a foundation for problem-solving that every software engineer needs to have. Brilliant is where you learn by doing, with thousands of interactive lessons in math, data analysis, programming, and AI. When you make their Python course a habit with just a few minutes of effort each day, you'll quickly develop the skills needed to build world-changing software, and you can do it anywhere, even from your phone. To try everything Brilliant has to offer for free for 30 days, visit brilliant.org slash fireship, or scan this QR code for 20% off their premium annual subscription. This has been the Code Report. Thanks for watching, and I will see you in the next one.

Menu

Firefox i Tor browser dotknięte krytyczną luką - ocena 9.8/10 (film, 5m)

Toggle timeline summary

Transcription