Firefox Patch Hikes Security

Tuesday, February 28, 2012 @ 02:02 PM gHale

A patch introduced to the Firefox repository should make the browser more secure by forcing certain binary extensions to use ASLR (Address Space Layout Randomization) under Windows.

The Mozilla developers said the change, which will prevent XPCOM (Cross Platform Component Object Module) component DLLs without ASLR from loading, should be in Firefox 13 “if no unexpected problems arise.”

RELATED STORIES
IE Sandbox Next for Flash Player
Flash Player Updates Plug Holes
Flash in Sandbox for Firefox
Trojan Targets Contractors

This could, for example, affect products from anti-virus firms Symantec and McAfee. As recently as last year, these products were noted installing DLLs (Dynamic Link Libraries) compiled without ASLR in the browser, enabling malware to predict with relative ease the memory addresses used for heap and stack areas by the DLLs. ASLR goes about randomizing all memory addresses, so the program components in question will be in different locations each time they start.

Kyle Huey, the author of the patch, said since ASLR is the default in modern versions of Visual Studio, the patch has no drawbacks for binary extension developers, and they will only need to ensure they haven’t turned it off.

Implementing the patch for all shared DLLs proved too difficult, Huey said. Only libraries that use Mozilla’s XPCOM framework will feel the affect of the change.



Leave a Reply

You must be logged in to post a comment.