Opened 4 years ago

Closed 3 years ago

Last modified 2 years ago

#16652 closed task (fixed)

Review vulnerability history from FF31 to FF45

Reported by: mikeperry Owned by: gk
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, GeorgKoppen201607, TorBrowserTeam201607, tbb-security-slider
Cc: gk, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorU

Description

The Security Slider values were set based on a review of historical vulnerabilities. We should try to skim through https://www.mozilla.org/security/known-vulnerabilities/firefox.html from FF31 to FF38 to see if any new patterns have emerged, and if we should add other prefs to the slider.

If this proves useful, we should also make this part of our rebasing process.

One tricky bit will be untangling all of the "Miscellaneous memory safety hazard" bugs..

Child Tickets

Attachments (2)

vuln_hist_esr38 (1.0 KB) - added by gk 3 years ago.
vuln_hist_esr45 (1.3 KB) - added by gk 3 years ago.

Download all attachments as: .zip

Change History (22)

comment:1 Changed 4 years ago by gk

Cc: gk added
Keywords: tbb-security added

comment:2 Changed 4 years ago by mcs

Cc: mcs added

comment:3 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201508 added; TorBrowserTeam201507 removed

comment:4 Changed 4 years ago by mikeperry

Keywords: tbb-5.0 removed

We're not likely to change the 5.0 security slider settings, though we still should try to dig through these bugs.

comment:5 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201509 added; TorBrowserTeam201508 removed

Move remaining August tickets to September.

comment:6 Changed 4 years ago by gk

Keywords: TorBrowserTeam201510 added; TorBrowserTeam201509 removed

Moving Tor Browser tickets to October 2015.

comment:7 Changed 4 years ago by gk

Keywords: TorBrowserTeam201511 added; TorBrowserTeam201510 removed

comment:8 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201512 added; TorBrowserTeam201511 removed

comment:9 Changed 4 years ago by gk

Keywords: TorBrowserTeam201601 added; TorBrowserTeam201512 removed

Tickets for Jan 2016.

comment:10 Changed 4 years ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed

Putting stuff on the radar for February.

comment:11 Changed 4 years ago by cypherpunks

Priority: MediumHigh
Severity: Normal

comment:12 Changed 4 years ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:13 Changed 3 years ago by gk

Keywords: TorBrowserTeam201606 GeorgKoppen201606 added; TorBrowserTeam201603 removed
Owner: changed from tbb-team to gk
Status: newassigned
Summary: Review vulnerability history from FF31 to FF38Review vulnerability history from FF31 to FF45

comment:14 Changed 3 years ago by gk

Sponsor: SponsorU

Changed 3 years ago by gk

Attachment: vuln_hist_esr38 added

comment:15 Changed 3 years ago by gk

Attached is the vulnerability history from June 10 2014 - May 12 2015. (up to and including ESR38)

comment:16 Changed 3 years ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:17 Changed 3 years ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

Changed 3 years ago by gk

Attachment: vuln_hist_esr45 added

comment:18 Changed 3 years ago by gk

The one from July 2 2015 - March 8 2016 (up to and including ESR45) got added as well.

comment:19 Changed 3 years ago by gk

Resolution: fixed
Status: assignedclosed

Here are the combined results showing the affected components up to and including ESR45. Counted are sec-high and sec-crit rated vulnerabilities. Components with a single issue are omitted. Subcomponents are merged in almost all cases but are visible in the attached documents.

JS (GC + Engine) 57
JS JIT 30
asm.js 3
Grpahics 38
DOM 35
Audio/Video 28 (MSE 2)
Web Audio 8
OpenH264 5
WebRTC 20
Networking 14
ImageLib 13
Canvas (WebGL + 2D) 9
Plugins 9
NSS 8
CSS Parsing and Computation 8
Application Update 6
SVG 4
XPConnect 4
XPCOM 4
Document Navigation 3
HTML: Parser 3
Autocomplete 2
NSPR 2
XBL 2
IPC 2
Widget: Gtk 2

Ca. 220 CVEs were looked at.

One interesting find is the Graphics component with 38 vulnerabilities which is missing in the original iSEC report. Maybe that corresponds to the Undetermined 5 or there just have not been any vulnerabilities in that time frame. Anyway, the bulk of those vulnerabilities is related to Graphite (more than 50% of the bugs found in this component are related to that library) which is why we have using that library disabled by default.

Another notable find is that MSEs are affected, too, by critical bugs and should thus be part of our security slider treatment as well (see: #19200 for the respective bug).

Apart from that I think we are fine with our current security slider settings even though bugs related to it exist, e.g. #19210.

comment:20 Changed 2 years ago by gk

Keywords: tbb-security-slider added
Note: See TracTickets for help on using tickets.