Mozilla last week removed the latest update of its Firefox web browser just a day after it was released after a serious security vulnerability was discovered.
However, comfort does not come without cost. Executing code that originates from an untrusted environment, such as a web page, on a trusted environment, such as the user's computer, without proper protection is obviously risky.
A browser aims to provide protection by executing the script within a protected environment or sandbox. The sandbox makes sure that the script is confined to performing web-related actions and, therefore, cannot attack non-web related objects.
By implementing this policy, a malicious script cannot read secret files from the user computer, for example.
To prevent that, browsers may implement a same origin policy. Here, not only is the script confined to web actions, but it can only perform such actions on the site that provided the script. In the previous example, the browser wouldn't allow the script that originated from one site to interact with the bank domain.
In previous Firefox versions, the same origin policy successfully obstructed such requests. In Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing leakage of personal data – in this example, the victim's Twitter ID.
Tal Be'ery is a web researcher at Imperva
Telco also announced series of initiatives to drive digital growth in the UK
Nana Baffour opens up on Getronics' mammoth acquisition of Pomeroy
Analyst predicts SaaS will remain the dominant segment in the market as it grows 17 per cent in 2019
NSS Labs claims vendors are refusing to have their products tested effectively and are trying to restrict its access