On Tuesday of this week, Mozilla released a patch for Firefox that removed a pair of use-after-free bugs from the browsing software. These zero-day bugs allowed attackers to abuse thread shutdowns and text reflows to escape from the security sandbox and possibly launch RCE attacks on victims. There was also another bug that was patched that had allowed users to escape from the security sandbox using an iframe. This bug could then be used to launch an attack through the code that had previously been trapped in the sandbox but is now free to wreak havoc.
What is Use-After-Free
So what exactly is a use-after-free bug? Well, a UAF occurs when a register within the heap memory of a program is emptied, but not set to null. When this happens, it allows a knowledgeable user to access that register and insert their own data into it. An attacker can then use this vulnerability to insert malicious code into an instance of the heap, allowing them to release said malicious code from the confines of the security sandbox. This would allow for an attacker to launch Remote-Code-Execution attacks, or RCE’s for short, on the victim’s computers if they access the “empty” register during their browsing.
What is the security sand box and why does it matter
At this point, I have also made several references to the security sandbox, so what is that? The security sandbox works similarly to a virtual machine, in that it emulates the environment of a host device while keeping all programs executed within the sandbox environment from escaping onto the user’s primary system. With this in mind, we can simulate the threat that escaping the sandbox poses with an example. Imagine, for the sake of argument, that you filled a physical sandbox with bleach. That bleach is only able to attack whatever you put in the sandbox, but can’t burn any of the grass laying just beyond the border. However, if you were to poke a hole in the side of the sandbox, then all that bleach would flow out and ruin your garden.
Now, let’s take our example and apply it to a computer, but instead of bleach, we have a malicious virus ready to eat away at our private data. The same problem occurs when a hole emerges, through the use of one of the UAFs or the iframe bug. Now, instead of a garden getting turned into no-man’s-land by bleach, your computer has been infected with a virus. This is the risk that these bugs, which have thankfully been fixed, could cause.
So What Now?
These three bugs mentioned already aren’t the only sandbox breaking holes that Firefox has sealed up in recent history. Only this past Saturday, Firefox released another patch that fixed a different pair of UAFs that were even more dangerous than the two mentioned above. If it weren’t for the bounty hunters that found these bugs, or who are credited for bringing them to Mozilla’s attention, these bugs could have caused a lot of serious issues for the general public. How swiftly Mozilla worked to patch these bugs once they were brought to their attention just goes to show that cyber security is higly prioritised. Their team is working hard to bring its users a safe environment to use for scrolling about the near-infinite realm known as the internet.
Resources:
https://www.firewalls.com/blog/security-terms/use-free-uaf/#:~:text=Use%20After%20Free%20(UAF)%20refers,been%20assigned%20to%20another%20application.
https://encyclopedia.kaspersky.com/glossary/use-after-free/
https://threatpost.com/firefox-zero-day-bugs-rce-sandbox-escape/178779/
https://www.forcepoint.com/cyber-edu/sandbox-security
https://www.mozilla.org/en-US/security/advisories/mfsa2022-10/
Very interesting post to read! I had heard of “use-after-free” bugs before, but I did not know that they occurred when emptied registers are not set to null. While somewhat unnerving, I think the concept of being able to attack victim’s computers from within the confines of a virtual machine (or something similar, like the security sandbox you mentioned) is very fascinating. Also, I think that you did a great job at explaining this concept with your “bleach” example; it certainly helped me visualize what these malicious viruses are doing in these types of cyberattacks!
Interesting post here.
Being able to attack another’s computer with the security sandbox is quite interesting. It seems the problem was evolving for a little bit as Firefox has even been recently releasing newer patches to fix these issues. It is good to hear that the team is working to bring more security for internet scrolling.
It seems like the majority of people getting infected through these bugs like the free after use bugs are like computer security professional as they may use the sandbox to test some malware. I wonder if these bugs were purposely targeting these people and how effective it actually was. Also, I thought the security sandbox was like a virtual machine but I didn’t know that it could have bugs that could lead to malicious attacks, It seems like if these bugs were not patched it could give a user a false sense of security as people use things like VMs and sandboxes like this to protect themselves. I like how you included an analogy with the bleach and how you explained that the use after free bug happens when heap memory is emptied and not null and where a malicious adversary could insert malicious code onto that heap.
Nice work here, bugs often seem small but have large impacts on many softwares, that is why it is advised for the codes and programs to be checked and updated as far as everytime, they act as weak points which hackers can use to gain illegal information and thus poses as a huge threats towards the modern world of today, we should be careful to avoid any mistakes from the programs we create.
Nice post! UAF bugs heighten vulnerability and if such vulnerabilities are exploited, the result can be data corruption, program crashes, and arbitrary code execution, none of which are desirable. I did some additional reading, and was surprised to find out that UAF bugs are fairly persistent in the world of browser exploitation, despite measures to mitigate their risks, which is especially considering as such bugs can be exploited to introduce malicious code.
I use Firefox for basically all of my internet browsing, so hearing that their software has potential RCE vulnerabilities is very concerning. It’s good that bug bounty hunters (or whoever found these bugs) reported them to have them fixed, but it raises the question of how long had these vulnerabilities had existed, had people been exploiting them before, and how many still exist that have yet to be patched?
Very interesting post, this is a very scary vulnerability. Being able to utilize a sandbox to attack is scary as that’s the exact opposite of what sand-boxing is designed to handle. Vulnerabilities like these are truly terrifying especially when they’re “Zero Day” and thus a fix hasn’t been implemented if the developer even knows how they would implement it without further study. What worries me even more is that we rely on ethical individuals to report these vulnerabilities and we pay them much less than they’d fetch for the same information on the black market. Will be interesting to see how they proceed further in regards to potentially testing more extensively for vulnerabilities.
Thanks for sharing such an interesting post! It’s very concerning that there could be so many vulnerabilities in our daily internet browsing software. Vulnerabilities like these can truly be dangerous and it’s really good that whoever located the bug reported it back to them so that it could be resolved. This raises the question how safe are we when we browse the internet? Are there more bugs out there that people have been exploiting?
This is a good post. This post explains that the security sandbox can simulate the environment of the host equipment and prevent the programs executed in the sandbox from escaping to the user’s main system. This leads people to mistakenly believe that the safety of the safety sandbox is absolute. However, when UAF happens, the attacker will release malicious code from the security sandbox to remotely attack the computer. The vulnerabilities here are terrible and will bring viruses to the computer. The metaphor of bleach is vivid and can better help us understand the principle of safe sandbox. Therefore, timely detection and repair of these security vulnerabilities can improve the security performance of the security sandbox. At the same time, it can better improve the security of the network and avoid the infringement of users’ computers by viruses.
I’ve seen a few blog posts where companies either decreased their bug bounty reward or eliminated it completely and it’s nice to see a rather large company take advantage of the third party individuals and are rewarding them properly. I did not know what the security sandbox was before reading your post and it did a really great job at explaining it. Personally, I do not use firefox consistently but have been thinking about switching my main browser and more open to switching to firefox. The company seems to be taking the bug reports seriously and hopefully that bug bounty system that they have in place will continue to result in decreased vulnerabilities in the browser.
It’s something like this that makes me confident in my switch from Chrome to Firefox. It’s always good to see that a company actually cares about its security more than its public relations. Hopefully, this discovery will lead to further investigations into other possible vulnerabilities that could exist. I don’t think it’s practical or at all realistic to expect that software as large as Firefox is bug-free. There are just too many moving parts. What matters to me though is that they care about removing as many of these bugs as they possibly can and they’re definitely demonstrating that here.
This is an interesting post! System vulnerabilities are probably the most feared thing for most programmers and companies, which means that others can easily enter your system, modify your information, and even cause major data leakage and property damage.
Great post! I really enjoyed the parallel you drew between a literal sandbox and the computer sandbox that this post is about. It’s a good thing that this issue has been patched especially due to how many people use Firefox, many of whom use it as an alternative from the monopoly that is Google Chrome. These zero-day exploits are always scary as they often give attackers more time to abuse said exploits so it’s a good thing that their time has run out now.
That’s a great post. Specially how you connected rom firefox bug fix to security sandbox. I specially liked bug fixing thing which is important in the field of computer science.
An interesting, though a bit frightening post. I wonder, was this an outlier for mozilla, or is this something that happens all the time and is just generally not reported on. Putting it another way, was this indicative of something bigger being wrong with Firefox, or was this just the usual bug-tamping exercise that seems to frequently happen with software?
Awesome post! Something like this gives me confidence in my decision to move from Chrome to Firefox. It’s always encouraging to see a corporation that prioritises security before public relations. Hopefully, this revelation will lead to more research into other potential security flaws. Expecting bug-free software as huge as Firefox is neither feasible nor possible in my opinion. At last, you did a great job!
Really good post! Im glad Firefox is my default browser. Releasing new patches which deal with bugs show that the browser developers are trying their best to make sure everything is running smoothly and safely for the users. Props to the bounty hunters for finding all the bugs, I guess Mozilla offers a lot of money for anyone who can find these bugs, which can then be fixed (thus, securing the browser even more). I am glad to see Mozilla pays a lot of attention to security of the users.