from Hacker News

How is my Browser blocking RWX execution?

by lucasRW on 1/5/25, 11:08 AM with 33 comments

  • by cmeacham98 on 1/8/25, 3:17 AM

    > this is probably a mitigating control which would make exploit development much harder in case an exploit chain attempted to leverage one of those RWX areas for execution

    This didn't pass the sniff test for me - this doesn't do anything to protect existing RWX regions, and a theoretical attacker that has the ability to inject arbitrary DLLs into the browser process already has access far beyond what the browser could protect.

    Fortunately, because the browser in question (Firefox) is open source, we can find the change that added this code. This is a bit of a pain because the file has been renamed twice, but here it is: https://hg.mozilla.org/mozilla-central/rev/7d2e74c69253e57fd...

    And if we read the associated bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1322554) we can see this is described as "policy decision", and this entire section of the code isn't exploit mitigation, but rather intended to block broken third party programs from injecting their buggy and poorly written DLLs into Firefox and causing bugs that users report to Mozilla.

  • by cma on 1/8/25, 1:50 AM

    They just use the acronym EDR without introducing it, it's "Endpoint Detection and Response"

  • by dblohm7 on 1/8/25, 5:16 PM

    The browser is Firefox, and I'm the engineer (no longer at Mozilla) who spearheaded the development of this. AMA.

  • by atesti on 1/8/25, 7:59 AM

    While security software and antivirus deserve all the injection blocking they may get, we must also consider how to bypass these mechanism when it's about reenabling adblocking by injecting DLLs in the browser for request blocking etc.

  • by m3047 on 1/8/25, 6:49 PM

    Just the other day I saw a shitpost from someone to the effect that if "BDR" is a thing they're going to quit cybersecurity entirely. Did you know there is a company actually offering BDR? Apparently that's true.

  • by Retr0id on 1/8/25, 1:37 AM

    > Note: this may be overzealous but to avoid legal issues I will not name that browser or the files/functions involved

    Curious, anyone else want to name the browser?