ASLR to be mandatory for binary Firefox extensions
A patch that was recently introduced to the Firefox repository is designed to make the browser more secure by forcing certain binary extensions to use ASLR (Address Space Layout Randomisation) under Windows. The Mozilla developers say that the change, which will prevent XPCOM (Cross Platform Component Object Module) component DLLs without ASLR from loading, should be included in Firefox 13 "if no unexpected problems arise".
This could, for example, affect products from anti-virus firms Symantec and McAfee. As recently as last year, these products were noted installing DLLs (Dynamic Link Libraries) that were compiled without ASLR in the browser, enabling malware to predict with relative ease the memory addresses that are used for heap and stack areas by the DLLs. ASLR is designed to randomise all memory addresses, so that the program components in question will be placed in different locations each time they start.
Kyle Huey, the author of the patch, notes that, since ASLR is enabled by default in modern versions of Visual Studio, the patch has no drawbacks for binary extension developers, and that they will only need to ensure that they haven't turned it off. Commenting on Bugzilla, Huey said that implementing the patch for all shared DLLs proved too difficult. Only libraries that use Mozilla's XPCOM framework are affected by the change.
(crve)