Mozilla Foundation Security Advisory 2006-31
EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
- Announced
- June 1, 2006
- Reporter
- moz_bug_r_a4
- Impact
- Moderate
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 1.5.0.4
- SeaMonkey 1.0.2
- Thunderbird 1.5.0.4
Description
Mozilla researcher moz_bug_r_a4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf() on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data.
In Mozilla clients the primary use for EvalInSandbox is to run the Proxy Autoconfig script should one be specified by your network administrator. This is a rare option for home users, it is primarily used by institutional networks which have a need for remote configuration.
The popular Greasemonkey extension uses EvalInSandbox to run userscripts which manipulate the web pages you visit on your behalf. Using this vulnerability a malicious userscript could gain enough privilege to install malware, but even when Greasemonkey is working as designed a malicious userscript can make life miserable. Only install userscripts from sources you can trust.
Workaround
On the Connection Settings preferences select either "Direct connection to the Internet" (the default) or "Manual proxy configuration."
If you use Greasemonkey user only install userscripts from trusted sources and inspect them for occurrances of valueOf(). Or simply disable Greasemonkey until you can upgrade to a newer version.