Closed Bug 1737751 (CVE-2021-43546) Opened 3 years ago Closed 3 years ago

users with zoomed cursors vulnerable to spoofed cursors leaking into the addressbar

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 95+ verified
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 + verified

People

(Reporter: dveditz, Assigned: jfkthame)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [adv-main95+][adv-ESR91.4.0+])

Attachments

(2 files)

Bug 1737751 - Account for macOS cursor scaling. r?emilio
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review
advisory.txt
195 bytes, text/plain
Details

+++ This bug was initially created as a clone of Bug #1670316 +++

The defense against large spoofed cursors leaking into the browser chrome does not take into account that users may have increased the size of their OS cursor for accessibility reasons. See bug 1670316 comment 30 and following.

On Mac you can do this by searching for "cursor size" in system preferences and making the cursor larger than normal. You may need to restart Firefox to see the spoof. Then try any of the testcases previously used for this issue. If we can detect that the OS is scaling the cursor larger, we should adjust the point at which we kill a custom cursor accordingly.

POCs:

I'm lowering the security severity of this since it won't apply by default for most users.

Blocks: 1670316
No longer blocks: eviltraps
No longer depends on: 1670316
Assignee: nobody → emilio
Flags: needinfo?(emilio)

So I looked a bit through the Apple docs and I don't see any obvious way to query the OS cursor magnification factor... Stephen, do you know if I might have overlooked it?

Without it we can't really make a lot of progress on this bug I think.

Assignee: emilio → nobody
Flags: needinfo?(emilio) → needinfo?(spohl.mozilla.bugs)

I think you want to look at the preferences value mouseDriverCursorSize from the domain com.apple.universalaccess, which is a floating-point value giving the magnification factor in use.

So we should be able to use something like CFPreferencesCopyAppValue or NSUserDefaults APIs to read it and apply the appropriate scaling.

Flags: needinfo?(spohl.mozilla.bugs)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

Something like this seems to basically work, with the caveat that it doesn't seem to account for on-the-fly changes to cursor scaling; if I change the scale in System Preferences, I have to relaunch the browser to properly see the effect. But I don't suppose that matters very much.

Apparently it's not just OS scaling, and not just mac. See bug 1737722

See Also: → CVE-2022-36319
See Also: CVE-2022-36319

Account for macOS cursor scaling. r=emilio
https://hg.mozilla.org/integration/autoland/rev/044695f562052e00a3dc7c565290df3b4d420749
https://hg.mozilla.org/mozilla-central/rev/044695f56205

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+

Comment on attachment 9247781 [details]
Bug 1737751 - Account for macOS cursor scaling. r?emilio

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Possible to mislead the user by spoofing visible cursor position, including appearing to be in browser chrome but in fact clicking within page content.
  • User impact if declined: Mac users with scaled cursor size could be subject to spoofing.
  • Fix Landed on Version: 95
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Localized patch with simple correction to coordinate arithmetic; no-op except for Mac users with cursor scaling enabled.
  • String or UUID changes made by this patch:
Attachment #9247781 - Flags: approval-mozilla-esr91?

Reproduced the issue with Firefox 95.0a1 (2021-10-26) on macOS 10.15 using attached tc's from comment 0 and STR. The custom cursor is exiting the Firefox window if the cursor size is changed from macOS preferences.
The issue is fixed with Firefox 95.0b5 (20211109194756) on macOS 10.15. After changing the cursor size and restarting Firefox, the custom cursor is no longer exiting the Firefox window. Per comment 4 the need to restart Firefox for this fix to work is a known issue.

status-firefox95: fixedverified

Comment on attachment 9247781 [details]
Bug 1737751 - Account for macOS cursor scaling. r?emilio

Approved for 91.4esr.

Attachment #9247781 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage] [qa-triaged]

Verified fixed with Firefox 91.4.0esr (20211111045525) on macOS 10.15. The cursor is no longer exiting the Firefox window if the cursor size is increased and the browser is restarted.

Status: RESOLVED → VERIFIED
status-firefox-esr91: fixedverified
Flags: qe-verify+
Whiteboard: [adv-main95+][adv-ESR91.4.0+]
Attached file advisory.txt
Alias: CVE-2021-43546
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: