Last Comment Bug 503451 - (CVE-2009-3987) GeckoActiveXObject exception messages can be used to enumerate installed COM objects
: GeckoActiveXObject exception messages can be used to enumerate installed COM ...
: verified1.9.0.16
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: unspecified
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Benjamin Smedberg [:bsmedberg]
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2009-07-09 18:57 PDT by Gregory Fleischer
Modified: 2016-03-10 08:05 PST (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

example of COM object enumeration (2.36 KB, text/html)
2009-07-09 18:59 PDT, Gregory Fleischer
no flags Details
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1 (11.66 KB, patch)
2009-08-27 14:09 PDT, Benjamin Smedberg [:bsmedberg]
mrbkap: review+
jst: superreview+
jst: approval1.9.2+
dveditz: approval1.9.1.6+
dveditz: approval1.9.0.16+
Details | Diff | Splinter Review

Description Gregory Fleischer 2009-07-09 18:57:39 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090708 Shiretoko/3.5.1pre

The exception messages from GeckoActiveXObject differ based on whether the requested COM object ProgID is present in the Windows registry.

Exception messages:
 - COM object not installed: COM Error Result = 800401f3
 - COM object installed: COM Error Result = 80004005

By creating an extensive list of ProgID's it would be possible to profile a user.  Some software installs different ProgID's based on version, so specific version detection is also possible.

This behavior may lead to a loss of user privacy or allow for targeted exploitation.

Reproducible: Always
Comment 1 Gregory Fleischer 2009-07-09 18:59:19 PDT
Created attachment 387800 [details]
example of COM object enumeration

Brief example demonstrating how COM objects can be enumerated based on exception message differences.
Comment 2 Jesse Ruderman 2009-08-19 17:05:27 PDT

bsmedberg, do you know this code, or know who does?  I can't even find the code.
Comment 3 Benjamin Smedberg [:bsmedberg] 2009-08-20 12:49:32 PDT

I think those bits can be safely completely removed.
Comment 4 Benjamin Smedberg [:bsmedberg] 2009-08-27 14:09:58 PDT
Created attachment 397109 [details] [diff] [review]
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1
Comment 5 Blake Kaplan (:mrbkap) 2009-08-27 14:16:16 PDT
Comment on attachment 397109 [details] [diff] [review]
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1

Can I give more than 1 r+?
Comment 6 timeless 2009-09-01 03:16:10 PDT
so um. before we go off removing stuff which was added by AOL, we could talk to the people who remember it.

bsmedberg: you claim it isn't usable by content at all. Suppose content has universalxpconnect, is it still unusable?

I'm not actively defending the feature (I remember it, and I think I understand its goals).
Comment 7 Benjamin Smedberg [:bsmedberg] 2009-09-01 06:12:34 PDT
I do not think it is necessary to walk into the mists of time in order to remove features that are clearly not an important part of the web platform nor of our extension platform. We will be removing idispatch scripting altogether as soon as WinMo doesn't depend on it for the activex bridge.
Comment 8 David Bradley 2009-09-01 06:26:52 PDT
The only issue that I know of around this outside of the obvious direct use is for browser sniffing. Supposedly some sites were using the presence to determine the browser. Obviously not the proper way to do it, but there were sites doing it. Hopefully they're gone now :-)
Comment 9 Benjamin Smedberg [:bsmedberg] 2009-09-17 10:58:03 PDT
Comment 10 Daniel Veditz [:dveditz] 2009-10-16 10:29:37 PDT
Comment on attachment 397109 [details] [diff] [review]
Remove GeckoActiveXObject and similar unnecessary globals, rev. 1

Approved for and, a=dveditz for release-drivers
Comment 11 Daniel Veditz [:dveditz] 2009-10-16 10:30:46 PDT
jst: this needs a 1.9.2 branch approval
Comment 13 Daniel Veditz [:dveditz] 2009-11-11 00:16:03 PST
Checking in src/XPCDispPrivate.h;
/cvsroot/mozilla/js/src/xpconnect/src/XPCDispPrivate.h,v  <--  XPCDispPrivate.h
new revision: 1.25; previous revision: 1.24
Checking in src/XPCIDispatchExtension.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp,v  <--  XPCIDispatchExtension.cpp
new revision: 1.24; previous revision: 1.23
Checking in src/nsXPConnect.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/nsXPConnect.cpp,v  <--  nsXPConnect.cpp
new revision: 1.175; previous revision: 1.174
Checking in src/xpcjsruntime.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp,v  <--  xpcjsruntime.cpp
new revision: 1.75; previous revision: 1.74
Checking in src/xpcprivate.h;
/cvsroot/mozilla/js/src/xpconnect/src/xpcprivate.h,v  <--  xpcprivate.h
new revision: 1.287; previous revision: 1.286
Comment 14 Al Billings [:abillings] 2009-11-23 15:43:34 PST
Verified for with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.