Firefox gets another major security upgrade

News
By published

Latest update helps protect against code injection attacks

Firefox
(Image credit: Shutterstock)

In a recent blog post on the Mozilla Security Blog, the Firefox-maker revealed the steps it has taken to protect users from code injection attacks by making its browser more secure.

The company has hardened its browser by removing “potentially dangerous artifiacts” from the Firefox codebase, including inline scripts and eval()-like functions, according to the firm's platform security and privacy engineer Christoph Kerschbaumer.

Inline scripts were removed in an effort to improve the protection of Firefox's 'about' protocol which is often referred to as about: pages. These about: pages allow users to do things such as display network information, view how their browser is configured and see which plug-ins they've installed.

However, since these about: pages are written in HTML and JavaScript, they employ the same security used by web pages, which are also vulnerable to code injection attacks. For instance, an attacker could inject code into an about:page and use it to change configuration settings in Firefox.

Code injection attacks

To help protect Firefox users against code injection attacks, Mozilla decided to rewrite all of its inline event handlers and to move all inline JavaScript code for all 45 of its about: pages  to “packaged files”. The company also set a strong Content Security Policy to make sure that any injected JavaScript code is unable to execute.

Kerschbaumer explained how this new measure can help protect against code injection attacks, saying:

“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks.”

Additionally, Mozilla has warned developers against using the eval() function which it described as a “dangerous function, which executes the code it's passed with the privileges of the caller”. By rewriting all eval()-like functions, the company has reduced the attack surface in Firefox further.

Viz ZDNet

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
An image of the Nintendo Switch 2
Nintendo Switch 2 likely to have AI upscaling similar to PS5 Pro’s PSSR according to patent, and it could be a gamechanger for graphics on the upcoming console
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 18 (game #380)
More about security
person at a computer

Infamous ransomware hackers reveal new tool to brute-force VPNs
ransomware avast

One of the most powerful ransomware hacks around has been cracked using some serious GPU power
A graphic showing someone on a tablet working through a supply chain.

Security issue in open source software leaves businesses concerned for systems
See more latest
Most Popular
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Apple Watch Ultra 2 settings
I've been using an Apple Watch for 10 years – here are three common mistakes even I've made
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
An image of the Nintendo Switch 2
Nintendo Switch 2 likely to have AI upscaling similar to PS5 Pro’s PSSR according to patent, and it could be a gamechanger for graphics on the upcoming console
Samsung Galaxy S24 hands on handheld back straight white
The Samsung Galaxy S24 is getting one of the S25’s biggest video upgrades with One UI 7 – here’s why Log Video matters
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
AI fashion
I asked ChatGPT 4o, Gemini Live, and Siri what to wear, and only one could really help me look my best
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 18 (game #646)