Closed
Bug 503451
(CVE-2009-3987)
Opened 16 years ago
Closed 15 years ago
GeckoActiveXObject exception messages can be used to enumerate installed COM objects
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta3-fixed |
| status1.9.1 | --- | .6-fixed |
People
(Reporter: gfleischer+bugzilla, Assigned: benjamin)
Details
(Keywords: verified1.9.0.16, Whiteboard: [sg:low])
Attachments
(2 files)
|
2.36 KB,
text/html
|
Details | |
|
11.66 KB,
patch
|
mrbkap
:
review+
jst
:
superreview+
jst
:
approval1.9.2+
dveditz
:
approval1.9.1.6+
dveditz
:
approval1.9.0.16+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre
The exception messages from GeckoActiveXObject differ based on whether the requested COM object ProgID is present in the Windows registry.
Exception messages:
- COM object not installed: COM Error Result = 800401f3
- COM object installed: COM Error Result = 80004005
By creating an extensive list of ProgID's it would be possible to profile a user. Some software installs different ProgID's based on version, so specific version detection is also possible.
This behavior may lead to a loss of user privacy or allow for targeted exploitation.
Reproducible: Always
|
Reporter | |
Comment 1•16 years ago
|
||
Brief example demonstrating how COM objects can be enumerated based on exception message differences.
Component: General → XPConnect
Product: Firefox → Core
QA Contact: general → xpconnect
|
||
Comment 2•16 years ago
|
||
Fun.
bsmedberg, do you know this code, or know who does? I can't even find the code.
Group: core-security
Whiteboard: [sg:low]
|
Assignee | |
Comment 3•16 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/XPCIDispatchExtension.cpp#223
I think those bits can be safely completely removed.
|
|
Assignee | |
Comment 4•16 years ago
|
||
Assignee: nobody → benjamin
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #397109 -
Flags: superreview?(jst)
Attachment #397109 -
Flags: review?(mrbkap)
|
||
Comment 5•16 years ago
|
||
Comment on attachment 397109 [details] [diff] [review]
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1
Can I give more than 1 r+?
Attachment #397109 -
Flags: review?(mrbkap) → review+
so um. before we go off removing stuff which was added by AOL, we could talk to the people who remember it.
bsmedberg: you claim it isn't usable by content at all. Suppose content has universalxpconnect, is it still unusable?
I'm not actively defending the feature (I remember it, and I think I understand its goals).
|
|
Assignee | |
Comment 7•15 years ago
|
||
I do not think it is necessary to walk into the mists of time in order to remove features that are clearly not an important part of the web platform nor of our extension platform. We will be removing idispatch scripting altogether as soon as WinMo doesn't depend on it for the activex bridge.
|
||
Comment 8•15 years ago
|
||
The only issue that I know of around this outside of the obvious direct use is for browser sniffing. Supposedly some sites were using the presence to determine the browser. Obviously not the proper way to do it, but there were sites doing it. Hopefully they're gone now :-)
|
||
Updated•15 years ago
|
Attachment #397109 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 9•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•15 years ago
|
Attachment #397109 -
Flags: approval1.9.2?
Attachment #397109 -
Flags: approval1.9.1.4?
Attachment #397109 -
Flags: approval1.9.0.15?
|
||
Updated•15 years ago
|
Attachment #397109 -
Flags: approval1.9.1.5?
Attachment #397109 -
Flags: approval1.9.1.4?
Attachment #397109 -
Flags: approval1.9.0.16?
Attachment #397109 -
Flags: approval1.9.0.15?
|
|
||
Comment 10•15 years ago
|
||
Comment on attachment 397109 [details] [diff] [review]
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1
Approved for 1.9.1.5 and 1.9.0.16, a=dveditz for release-drivers
Attachment #397109 -
Flags: approval1.9.1.5?
Attachment #397109 -
Flags: approval1.9.1.5+
Attachment #397109 -
Flags: approval1.9.0.16?
Attachment #397109 -
Flags: approval1.9.0.16+
|
|
||
Comment 11•15 years ago
|
||
jst: this needs a 1.9.2 branch approval
|
|
||
Updated•15 years ago
|
Attachment #397109 -
Flags: approval1.9.2? → approval1.9.2+
|
|
Assignee | |
Comment 12•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e2c8fee94aff
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b8ae3dc97cea
status1.9.1:
--- → .6-fixed
status1.9.2:
--- → final-fixed
|
|
||
Comment 13•15 years ago
|
||
Checking in src/XPCDispPrivate.h;
/cvsroot/mozilla/js/src/xpconnect/src/XPCDispPrivate.h,v <-- XPCDispPrivate.h
new revision: 1.25; previous revision: 1.24
done
Checking in src/XPCIDispatchExtension.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp,v <-- XPCIDispatchExtension.cpp
new revision: 1.24; previous revision: 1.23
done
Checking in src/nsXPConnect.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/nsXPConnect.cpp,v <-- nsXPConnect.cpp
new revision: 1.175; previous revision: 1.174
done
Checking in src/xpcjsruntime.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp,v <-- xpcjsruntime.cpp
new revision: 1.75; previous revision: 1.74
done
Checking in src/xpcprivate.h;
/cvsroot/mozilla/js/src/xpconnect/src/xpcprivate.h,v <-- xpcprivate.h
new revision: 1.287; previous revision: 1.286
done
Keywords: fixed1.9.0.16
|
||
Comment 14•15 years ago
|
||
Verified for 1.9.0.16 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.16 → verified1.9.0.16
|
||
Updated•15 years ago
|
Alias: CVE-2009-3987
You need to log in
before you can comment on or make changes to this bug.
Description
•