Closed
Bug 1314801
Opened 8 years ago
Closed 7 years ago
Enable PROCESS_MITIGATION_IMAGE_LOAD_POLICY
Categories
(Core :: Widget: Win32, defect, P3)
Core
Widget: Win32
Tracking
()
RESOLVED
FIXED
mozilla57
People
(Reporter: tjr, Assigned: bobowen)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [sb+][tpi:+])
Attachments
(2 files)
1.93 KB,
patch
|
jimm
:
review+
|
Details | Diff | Splinter Review |
2.32 KB,
patch
|
jimm
:
review+
|
Details | Diff | Splinter Review |
NoRemoteImages is setting that will prevent LoadLibrary from being called with a library on a UNC share. It's a common exploitation technique to do this with an internet-facing UNC share to achieve code execution. https://msdn.microsoft.com/en-us/library/windows/desktop/mt706245(v=vs.85).aspx While this setting is often used in the context of a sandbox, I can't think of a reason not to enable it on Firefox itself and gain some security before the sandbox comes into play. I believe this would break if Firefox is run from a UNC share, but it should be simple to detect if that is the case, and then simply not enable it in that case.
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [sb?][tpi:+]
Updated•8 years ago
|
Blocks: injecteject
Whiteboard: [sb?][tpi:+] → [sb+][tpi:+]
Comment 1•7 years ago
|
||
Mass wontfix for bugs affecting firefox 52.
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(bobowencode)
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 2•7 years ago
|
||
Ah now I remember that I had to #if out this support in the chromium sandbox, because of issues we had with relying on the Win10 SDK that is needed to support this (see bug 1337331 comment 24 and onwards). I'm hoping that things have improved there, because I think something similar was blocking us from building with MSVS2017.
Assignee | ||
Comment 3•7 years ago
|
||
It looks like we now do pick up the Win10 SDK correctly, so hopefully we can move to requiring at least v10.0.10586.0, which is when these new bits were added. I'll file a separate bug for that to block this one.
Assignee | ||
Comment 4•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=c758d82fa76fd1f5ec21daee4b48d8b2f824989e
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8906565 -
Flags: review?(jmathies)
Assignee | ||
Comment 6•7 years ago
|
||
Attachment #8906566 -
Flags: review?(jmathies)
Comment 7•7 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #6) > Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and > MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox Doesn't it prevent Firefox from launching from a network share?
Assignee | ||
Comment 8•7 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #7) > (In reply to Bob Owen (:bobowen) from comment #6) > > Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and > > MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox > > Doesn't it prevent Firefox from launching from a network share? It doesn't enable it in that case.
Updated•7 years ago
|
Attachment #8906565 -
Flags: review?(jmathies) → review+
Updated•7 years ago
|
Attachment #8906566 -
Flags: review?(jmathies) → review+
Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/aaf411b9d99f Part 1: Compile chromium sandbox features that require at least UCRT SDK version 10.0.10586.0. r=jimm https://hg.mozilla.org/integration/mozilla-inbound/rev/ac48944bf3c6 Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox. r=jimm
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/aaf411b9d99f https://hg.mozilla.org/mozilla-central/rev/ac48944bf3c6
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Comment 11•7 years ago
|
||
With Windows SDK 10.0.14393.33 which according to https://en.wikipedia.org/wiki/Microsoft_Windows_SDK is more recent than 10.0.10586.0 I'm getting: c:/mozilla-source/comm-central/mozilla/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc(157): error C2065: 'PROCESS_MITIGATION_FONT_DISABLE_POLICY': undeclared identifier I grepped for PROCESS_MITIGATION_FONT_DISABLE_POLICY in C:\Program Files (x86)\Windows Kits\10 in *.h files and it's not there. In C:\Program Files (x86)\Windows Kits\10\Include I only see 10.0.10150.0 and 10.0.10240.0. Any hints would be welcome.
Flags: needinfo?(bobowencode)
Assignee | ||
Comment 12•7 years ago
|
||
(In reply to Jorg K (GMT+2) from comment #11) > With Windows SDK 10.0.14393.33 which according to > https://en.wikipedia.org/wiki/Microsoft_Windows_SDK is more recent than > 10.0.10586.0 I'm getting: > > c:/mozilla-source/comm-central/mozilla/security/sandbox/chromium/sandbox/win/ > src/process_mitigations.cc(157): error C2065: > 'PROCESS_MITIGATION_FONT_DISABLE_POLICY': undeclared identifier > > I grepped for PROCESS_MITIGATION_FONT_DISABLE_POLICY in C:\Program Files > (x86)\Windows Kits\10 in *.h files and it's not there. > > In C:\Program Files (x86)\Windows Kits\10\Include I only see 10.0.10150.0 > and 10.0.10240.0. > > Any hints would be welcome. It would seem that it hasn't installed properly then, you should have a 10.0.14393.0 dir there I believe.
Flags: needinfo?(bobowencode)
Comment 13•7 years ago
|
||
Yes, I reinstalled the Windows SDK 10.0.14393.795 and got that directory now. Thank you.
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•