Mozilla Protects Firefox Users from Code Injection

Mozilla has released a patch that blocks code injection attacks in the Firefox browser. According to Mozilla’s security team, “An effective way to combat code injection attacks is to reduce the attack surface by removing potentially dangerous elements from the codebase and strengthening code at various levels. To make Firefox resistant to code injection attacks, we have removed inline scripts and functions like eval().”

How Mozilla Improved Firefox Security

Mozilla rewrote the built-in event handler and moved inline JavaScript code into archived files for all about:pages in the browser. You can view the list of 45 about:pages here. These pages were previously vulnerable to code injection attacks through inline scripts.

The about:pages provide users with a simple interface to check information related to Firefox’s internal operations. For example, the about:config page offers an API for viewing and updating settings and parameters. Since about:pages use HTML and JavaScript like any other browser page, attackers could potentially inject malicious scripts into the browser’s security context and perform arbitrary actions on behalf of Firefox users.

Results of the Update

By making it impossible to inject inline scripts on about:pages in Firefox, Mozilla has created a barrier against code injection attacks that could lead to arbitrary code execution.