Security/Sandbox/2016-12-01

« previous week | index | next week »

bobowen

• bug 1147911 - Use a separate content process for file:// URLs
  • landed - working on follow-ups
• bug 1279699 - Crash in OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | std::_Allocate | std::basic_stringbuf<T>::overflow
  • landed fix to use temporary files instead.
  • uplifted to beta, but seems to have caused / uncovered crashes later on - investigating now.
• bug 1273372 - [EME] Crash in mozilla::gmp::GMPChild::ProcessingError - (Applocker)
  • have patches for this that seem to work for reporter - need to get them up for review

tedd

• bug 1104619 - Audio remoting
  • Had to rewrite a lot of code
  • Talked to billm, implementing his suggestions, move away from PBackground, implement my own top-level protocol
• bug 1320085 - Fedora 26 prlimit64 issue - reviewed patch

aklotz

• bug 1319640 - a11y+e10s+sandboxing+plugins = fun. Had to remote a call to AccessibleObjectFromWindow. r+, should land today

gcp

• bug 1284912 2.88% ts_paint (linux64) regression on push 23140396a80eb27ff586c41fdc1cad62c875c9b1 (Tue Jul 5 2016)
• Lots of investigation on Talos
• bug 1309205 - "Print to file" fails silently on Ubuntu16.04LTS feedback from font people

haik

• bug 1314056 - Enable Mac content sandbox level 1 in 52
  • Uplifted to Aurora (along with all dependencies)
• bug 1309394 - Introduce automated tests to validate content process sandboxing works as intended
  • Got review comments from Bob, looking into using ContentTask.spawn instead
• bug 1321053 - my cannon pixma printer will no longer print in grayscale, it will with safari, this is not a printer problem
  • Seems to be fixed already by remote printing for Mac, need to root cause

handyman

• bug 1315325 - Add telemetry to measure use of NPAPI NPN Get/Post URL apis
  • review
• bug 1185472 - Only allow NPAPI HWNDs to be adopted by an HWND in the chrome process.
  • review
• bug 1284897 - 64 bit Flash Player has storage permissions issues
  • review
• bug 1273091 - Mouse cursor does not disappear in html5 fullscreen video on Windows
  • landed
  • waiting for regressions. If none, uplift to Aurora/Beta

jld

• bug 1320085 - Deal with using prlimit64 to implement getrlimit: landed
• bug 1257361: wrote patch
• bug 1320834 - restrict prctl for desktop: filed and investigated
  • (dup of bug 1302714?, should mark 1302714 as dup of this one, you have more information)
  • (Oops. —jld)

round table

• sandbox meet up in Hawaii ---> Wednesday @ 1pm
  • discussion points / goals
  • other people we might want to meet with? (gfx?)
• Friday security meeting / standups
• dinner in Hawaii? We have a stipend to spend and there are a number of restaurants.
• bug 1286865 - non-fatal sandbox violation reporting
  • What does Chrome do?
• Network isolation blockers?
  • Tests — Linux only, or all platforms?
  • PulseAudio.
  • What controls net access on Windows?
• haik PTO

exploit CVE-2016-9079

<gcp> https://paste.sh/ShvF8IRP#o2CC1uJifewgaLtX1agM8r3w <gcp> annotated shellcode <gcp> LoadLibraryA <gcp> ws2_32_WSAStartup <gcp> ws2_32_WSASocketA <gcp> iphlpapi_SendARP <gcp> ; GET /0a821a80/05dc0212 HTTP/1.1 <gcp> ; Host: User-PC <gcp> ; Cookie: MC=08002703DFB8 <gcp> ; Accept-Encoding: gzip

• Current Windows/Linux sandboxing wouldn't help deanonymization, but might interfere with modifying the exploit to leave a rootkit instead.
• Mac sandbox already disallows network-outbound.
• Threat models:
  • Network access bypassing Tor proxy
  • Obtaining PII somehow, exfiltrating via normal HTTP(S)

some "analysis" https://blog.gdatasoftware.com/2016/11/29346-firefox-0-day-targeting-tor-users (haven't looked at it yet, friend hinted me to it), not very in depth, but might be worth a read