#16652 closed task (fixed)
Review vulnerability history from FF31 to FF45
| Reported by: | mikeperry | Owned by: | gk |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-security, GeorgKoppen201607, TorBrowserTeam201607, tbb-security-slider |
| Cc: | gk, mcs | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: | SponsorU |
Description
The Security Slider values were set based on a review of historical vulnerabilities. We should try to skim through https://www.mozilla.org/security/known-vulnerabilities/firefox.html from FF31 to FF38 to see if any new patterns have emerged, and if we should add other prefs to the slider.
If this proves useful, we should also make this part of our rebasing process.
One tricky bit will be untangling all of the "Miscellaneous memory safety hazard" bugs..
Child Tickets
Attachments (2)
Change History (22)
comment:1 Changed 4 years ago by
| Cc: | gk added |
|---|---|
| Keywords: | tbb-security added |
comment:2 Changed 4 years ago by
| Cc: | mcs added |
|---|
comment:3 Changed 4 years ago by
| Keywords: | TorBrowserTeam201508 added; TorBrowserTeam201507 removed |
|---|
comment:4 Changed 4 years ago by
| Keywords: | tbb-5.0 removed |
|---|
comment:5 Changed 4 years ago by
| Keywords: | TorBrowserTeam201509 added; TorBrowserTeam201508 removed |
|---|
Move remaining August tickets to September.
comment:6 Changed 4 years ago by
| Keywords: | TorBrowserTeam201510 added; TorBrowserTeam201509 removed |
|---|
Moving Tor Browser tickets to October 2015.
comment:7 Changed 4 years ago by
| Keywords: | TorBrowserTeam201511 added; TorBrowserTeam201510 removed |
|---|
comment:8 Changed 4 years ago by
| Keywords: | TorBrowserTeam201512 added; TorBrowserTeam201511 removed |
|---|
comment:9 Changed 4 years ago by
| Keywords: | TorBrowserTeam201601 added; TorBrowserTeam201512 removed |
|---|
Tickets for Jan 2016.
comment:10 Changed 4 years ago by
| Keywords: | TorBrowserTeam201602 added; TorBrowserTeam201601 removed |
|---|
Putting stuff on the radar for February.
comment:11 Changed 4 years ago by
| Priority: | Medium → High |
|---|---|
| Severity: | → Normal |
comment:12 Changed 4 years ago by
| Keywords: | TorBrowserTeam201603 added; TorBrowserTeam201602 removed |
|---|
comment:13 Changed 4 years ago by
| Keywords: | TorBrowserTeam201606 GeorgKoppen201606 added; TorBrowserTeam201603 removed |
|---|---|
| Owner: | changed from tbb-team to gk |
| Status: | new → assigned |
| Summary: | Review vulnerability history from FF31 to FF38 → Review vulnerability history from FF31 to FF45 |
comment:14 Changed 4 years ago by
| Sponsor: | → SponsorU |
|---|
Changed 3 years ago by
| Attachment: | vuln_hist_esr38 added |
|---|
comment:15 Changed 3 years ago by
Attached is the vulnerability history from June 10 2014 - May 12 2015. (up to and including ESR38)
comment:16 Changed 3 years ago by
| Keywords: | GeorgKoppen201607 added; GeorgKoppen201606 removed |
|---|
Moving my tickets
comment:17 Changed 3 years ago by
| Keywords: | TorBrowserTeam201607 added; TorBrowserTeam201606 removed |
|---|
Changed 3 years ago by
| Attachment: | vuln_hist_esr45 added |
|---|
comment:18 Changed 3 years ago by
The one from July 2 2015 - March 8 2016 (up to and including ESR45) got added as well.
comment:19 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Here are the combined results showing the affected components up to and including ESR45. Counted are sec-high and sec-crit rated vulnerabilities. Components with a single issue are omitted. Subcomponents are merged in almost all cases but are visible in the attached documents.
JS (GC + Engine) 57
JS JIT 30
asm.js 3
Grpahics 38
DOM 35
Audio/Video 28 (MSE 2)
Web Audio 8
OpenH264 5
WebRTC 20
Networking 14
ImageLib 13
Canvas (WebGL + 2D) 9
Plugins 9
NSS 8
CSS Parsing and Computation 8
Application Update 6
SVG 4
XPConnect 4
XPCOM 4
Document Navigation 3
HTML: Parser 3
Autocomplete 2
NSPR 2
XBL 2
IPC 2
Widget: Gtk 2
Ca. 220 CVEs were looked at.
One interesting find is the Graphics component with 38 vulnerabilities which is missing in the original iSEC report. Maybe that corresponds to the Undetermined 5 or there just have not been any vulnerabilities in that time frame. Anyway, the bulk of those vulnerabilities is related to Graphite (more than 50% of the bugs found in this component are related to that library) which is why we have using that library disabled by default.
Another notable find is that MSEs are affected, too, by critical bugs and should thus be part of our security slider treatment as well (see: #19200 for the respective bug).
Apart from that I think we are fine with our current security slider settings even though bugs related to it exist, e.g. #19210.
comment:20 Changed 2 years ago by
| Keywords: | tbb-security-slider added |
|---|
We're not likely to change the 5.0 security slider settings, though we still should try to dig through these bugs.