Archive for March 27th, 2009

In a twisted reverse April fool, Mozilla decided to anticipate the release from April the 1st: it's today, folks.

As you may already know, it fixes:

  1. the mysterious flaw exploited by "Nils" at the CanSecWest Pwn2Own contest, at the speed of light (the IE8 and Safari vulnerabilities revealed the same day are still unpatched);
  2. the XLST processing bug which I wrote about yesterday.

Current NoScript stable version (1.9.1.4) prevents the XSLT crash from be exploited for malicious purposes, by defeating heap spray attempts which require JavaScript, Java or Flash. That's very good, but not enough: a crash is still annoying even if it cannot install malware, notwithstanding session restore.

Since we can (un)safely assume this is not the only potentially exploitable XSLT parser bug hanging around, today I released the NoScript 1.9.1.5 development build, featuring specific XSLT protection: XSL stylesheets won't be processed unless they're from a trusted source and their parent document is trusted as well. This countermeasure effectively prevents malicious sites from crashing (or, worse, compromising) your browser through this or any other XSLT bug discovered in future. As NoScript's motto says, defeating "exploitation of security vulnerabilities, known and even not known yet!" :)

Bad Behavior has blocked 1382 access attempts in the last 7 days.