silversurfer

Level 63
Verified
Trusted
Content Creator
Malware Hunter
It's 2020, and numerous browsers still allow drive-by-downloads from what is meant to be secure contexts such as sandboxed iframes.

For those unfamiliar with the term, a drive-by-download is when a user visits a site, and a file download is initiated without the user's interaction.

This technique can be used to distribute unwanted software and malicious programs in the hopes that users will accidentally or mistakenly execute the downloads and get infected.

New research from ad security firm Confiant shows that secure contexts such as sandboxed iframes can be abused to allow drive-by-downloads when visiting a website.

As most advertisements are displayed on a web page via iframes, malicious advertisers can use them to deliver unwanted applications that infect your computer.
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
What's next?
As you can see, allowing scripts to initiate downloads in what is expected to be a secure context, is problematic as it could enable the distribution of malware through malicious advertisements.

While Chrome 83 and Microsoft Edge 83 both block downloads in sandboxed iframes, Brave and Firefox still allow it.

In a Mozilla Firefox bug post, the Firefox developers have already completed the code to block downloads in sandboxed iframes and will add it to the browser soon.

It is not known if Brave, Safari, and affected mobile browsers will resolve it in the future.
 

Nagisa

Level 4
Verified
Excuse my ignorance but I doubt firefox is less secure just because its sandbox is not as good as chromium's. At first, if that two browser need to be exploited differently (because that they have different sandbox mechanisms), Firefox should be less risky as it has much less market share than chrome.

I wonder if having better sandbox definitely makes chrome more secure. Pale Moon doesn't have any sandbox at all but still it's no less secure.
 

oldschool

Level 55
Verified
Brave dropped the ball on this one. Chromium 83 released two weeks ago and Brave's still sat on 81. Have to wonder if development is being held up by the pandemic or some other factor.
Brave release schedule delay due to COVID 19 as per Chromium:

Expected v. 1.10.x (Chromium 83) release date June 9, 2020

Expected v. 1.11.x (Chromium 84) release date July 7, 2020 to keep in sync with Chromium

Expected v. 1.12.x (Chromium 84) release date August 4, 2020 to keep in sync with Chromium


Brave release schedule
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Excuse my ignorance but I doubt firefox is less secure just because its sandbox is not as good as chromium's. At first, if that two browser need to be exploited differently (because that they have different sandbox mechanisms), Firefox should be less risky as it has much less market share than chrome.
When you browsing it is an easy task to get information about the browser. The malicious website can choose the right exploit. Firefox is popular enough for it.

Pale Moon doesn't have any sandbox at all but still it's no less secure.
Why do you think so? Did anyone make any statistics on Pale Moon security? It is a fork of Firefox and it is known to sacrifice security for compatibility with older systems and usability. Yes, you can use Pale Moon for years and do not be infected. You can also drive without the seat-belts for years, but it does not mean that it is a secure way of driving.
If having a strong sandbox is not important, then why all top web browsers (including Firefox) have sandboxes and work to make them stronger? Are they stupid? :unsure:
 

Nagisa

Level 4
Verified
When you browsing it is an easy task to get information about the browser. The malicious website can choose the right exploit. Firefox is popular enough for it.
Isn't it hard enough to exploit one browser? How come a zero-day is able to exploit two completely different browsers?

Why do you think so? Did anyone make any statistics on Pale Moon security? It is a fork of Firefox and it is known to sacrifice security for compatibility with older systems and usability
It's not a 'fork of' Firefox and neither the developer sacrificed security for compatibility. Being compatible with older systems is not the purpose of that browser, in fact, it doesn't even support XP anymore. You have to download the fork Newmoon or Serpent for that. I think you're misinformed about this browser.

If having a strong sandbox is not important, then why all top web browsers (including Firefox) have sandboxes and work to make them stronger? Are they stupid? :unsure:
I'm taking this link here. I suggest to read all the page.


About the sandbox:

Pale Moon doesn't have a multi-process sandbox container because Pale Moon (and Basilisk) are not using a multi-process setup. Instead, our "sandboxing" is internal, strictly separating the context in which untrusted content is loaded and scripts executed. In fact, using IPC and e10s has given rise to a hell of a lot more security vulnerability by explicitly relying on a fragile inter-process messaging system and relying on a separate process not being able to escape the context (and the sandboxing container has shown time and again to be insufficient at containing untrusted code/scripting). There's a big fallacy in e10s "security" concepts: a separate process may, in itself, be running at a lower integrity level in the operating system, but if you entwine its functioning with a generally administrator-elevated process, then that link becomes the channel through which exploits get system-level access. Complaining about security because we have removed the e10s-specific sandbox container because we're not using e10s (dead code cleanup) is terribly uninformed of a statement.
Also a quote from reddit:

Keep in mind that the recent zero-day exploit which hit Firefox and was in the wild didn't impact PM. That exploit specifically targeted e10. That's the only real data point we have to work with.
I also remember that PM was not affected by meltdown/spectre.


After confirmation that the "Meltdown" and "Spectre" CPU vulnerabilities could be exploited via the web, we have immediately taken action to investigate impact on Pale Moon and Basilisk. The web-based exploits either need very accurate timing through performance timers or a way to construct their own very accurate timers using shared buffer memory between threads in JavaScript.

Pale Moon isn't vulnerable

Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.
 
Last edited:

SeriousHoax

Level 29
Verified
Malware Tester
This show again why Chromium based (main-)browser like Edge & Chrome are much safer as other's.

I can recommend reading this: Firefox and Chromium Security | Madaidan's Insecurities
Firefox's sandbox is definitely weaker compared to Chromium but that it doesn't mean it's far more vulnerable and getting exploited in the wild regularly or something. Besides all the articles mentioned in that link are 4-5 years old. Firefox has upgraded a lot related to security and sandbox and they are contiguously doing so. silversurfer few days ago shared an article that Firefox recently upgraded their sanbox to security.sandbox.content.level => 6
You can read more here:
Security/Sandbox - MozillaWiki
Recent articles like this are on moz hacks also:
Also what geminis3 shared above about the upcoming Project fission.
Usability and stability is important too along with security. Firefox runs far better on my system so that's an important reason as well for me to keep using it.
 
Last edited:

security123

Level 24
Verified
Excuse my ignorance but I doubt firefox is less secure just because its sandbox is not as good as chromium's.
Firefox is less secure then Chromium code. Read my link + GrapheneOS usage documentation

I wonder if having better sandbox definitely makes chrome more secure.
Yes. Chrome and Edge already has the sandbox feature.
See my two links.

Pale Moon doesn't have any sandbox at all but still it's no less secure.
Pale Moon is a joke for security. You shouldn't use it if you take security seriosly.
Also it's worse in privacy
 

geminis3

Level 13
Verified
Malware Tester
@security123 to exploit an Android device through FF Fenix an attacker needs to bypass the basic Android sandbox in order to get full remote access
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
@Nagisa,
I am not sure if you understand the information contained in the links you posted here.
The author of the posts (Moonchild) says:

"Goanna indeed forked off from Gecko as a web rendering and layout component. but once again, forked != used verbatim. We did take security fixes (either ported or rewritten) from upstream for Goanna, because why invent the wheel twice? But aside from that we have our own development and Goanna is most certainly not behaving the same way as Gecko due to our own development on it."
So it is a fork, for sure. Furthermore, it continues add-on support for XUL, XPCOM, and NPAPI plugins, all of which are no longer supported in Firefox (also for security reasons).

"Pale Moon doesn't have a multi-process sandbox container because Pale Moon (and Basilisk) are not using a multi-process setup. Instead, our "sandboxing" is internal, strictly separating the context in which untrusted content is loaded and scripts executed.
...
Complaining about security because we have removed the e10s-specific sandbox container because we're not using e10s (dead code cleanup) is terribly uninformed of a statement.
"
So, the author only says that Pale Moon "sandboxing" is not weaker than that used in older versions of Firefox, because generally Firefox sandboxing in older versions was weak.


Microsoft and Google know that their products can be exploited and use the Bug Bounty program to find the vulnerabilities before they will be exploited in the wild. Pale Moon has no chance to compete with them. Of course, the great sandbox cannot solve all security problems due to the impact on performance.
It is true that most Pale Moon vulnerabilities can be unknown because no one bothers to find them.
But, are you sure that Pale Moon is not vulnerable (as Firefox) to malicious advertisements that use ieframes?
 
Top