Firefox Screenshots Vunerability, one fix in latest.

Forum Forums General Software Firefox Screenshots Vunerability, one fix in latest.

Tagged: ,

  • This topic has 9 replies, 3 voices, and was last updated Jul 11-1:06 pm by Xunzi_23.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #145623
    Member
    Xunzi_23

      #CVE-2024-5689 Fixed in Firefox 127 hopefully also in ESR

      From Release Notes.
      In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the
      ‘My Shots’ button that appeared, and direct the user to a replica Firefox Screenshots page that could be
      used for phishing. This was in conjunction to bug 1414937 which allowed websites to detect user taking a
      screenshot with the firefox tool.

      I still recommend to remove the hidden screenshot extension from all Firefox versions and derivatives
      including LibreWolf. Easy in Portable Version which is personal recommendation. Hidden extension are in
      folder browser/features, I remove all hidden extensions, on top ping sender crash dump updater. Do Not
      remove the .ini files, doing so will break the browser.

      Reccommend: Use antiX screenshot utility, it works fine and is as secure against remote attack as your
      system setup allows.

      Still waiting for LibreWolf to update to follow latest FF..

      #145724
      Member
      sybok

        FF usually fixes errors in both “latest” and ESR (if present in both).
        BTW, I dare to point out a configurable script helping to do (part of) the “lobotomization” of FF advocated by Xunzi_23:
        https://www.antixforum.com/forums/topic/firefox-updates-in-antix/#post-134050 (see also this and that post)

        As usual, use the script at your own risk.

        Suggestion @Xunzi_23: Perhaps, it would be a good practise to provide/link these few posts (for reference purposes) in your new ones related to FF’s privacy creep.

        #145728
        Member
        Xunzi_23

          Thank you sybok, agree it would be nicer to link previous posts,
          personal preference would be we had a sticky Browser and privacy
          theme, so much useful information is buried in the depths of the forum.

          I find the lobotomize script very useful,
          Still the need remains to check the browser/features folder
          as moz can add or subtract extensions as well as change the names.

          FF usually fixes errors in both “latest” and ESR (if present in both).

          IMPORTANT!
          The screenshot bug is not fixed in latest ESR according to release notes.
          for 115.12.0 Firefox ESR Released on June 11, 2024

          Users should be aware that Mozilla can and sometimes does quietly change user
          settings.

          For any user preferring security over convenience use firefox portable, i.e. download from
          Mozilla, setup in an unusual location with an unusual name, generated by pwgen is good.
          It makes you harder to attack, including I hope mitigation of induced crash followed by
          headless running.

          Adding to personal menu is pretty easy, I always, in addition, add to toolbar.

          I watch conky for mem usage changing unusually after any crash. Caught FF spawned headless
          more than once some time ago.

          marionette is worrying if an actor can respawn ff with –args -marionette he can controll the
          browser.

          I am hoping the argument user_pref("marionette", false); in my user.js will mitigate marionette harnessing possibility.

          LibreWolf is still not updated to follow latest mozilla changes so better to ensure the hidden
          screenshot extension has been removed.

          • This reply was modified 1 month ago by Xunzi_23.
          • This reply was modified 1 month ago by Xunzi_23.
          #148433
          Member
          sybok

            Users should be aware that Mozilla can and sometimes does quietly change user settings.

            I recently updated FF-ESR 115 on Windows by downloading the new ESR branch (128) *installer* before an update to it was offered from within the installed FF-ESR.
            It updated the browser while keeping history, bookmarks but changing settings to a… default Mozilla-friendlier.
            Not sure if this due to my haste – meaning that it would not happen when upgrading when switching to the new ESR branch is offered in the browser.

            #148435
            Member
            Xunzi_23

              Hi sybok, the change to settings should not happen with a normal update but my experience is it often does, as does
              creation of a new profile.

              Mozilla can and does remotely change settings to what they want, it is a feature not a bug. Some users were told they
              should update their profile. At least that is a warning and should be refused :-).

              If you start the new browser with an internet connection moz and friends grab your device Fingerprint, uuid and telemetry
              data.

              After a firefox update or fresh install I disconnect from the network then start the browser. Leave it for some minutes
              then check settings, update and clean my arkenfox userjs. If a new profile has been created, move userjavascript userchrome
              css, etc. to that.

              Systemd machine id is transmitted. Fix that. That id is needed for the system to work correctly so I do

              sudo rm -f /etc/machine-id and then dbus-uuidgen –ensure=/etc/machine-id
              sudo rm /var/lib/dbus/machine-id and re-create it: dbus-uuidgen –ensure

              Considering doing that every start or after updating. Would be nice automated.

              Only way to try and cure some of the symptoms is to add mozilla servers to etc hosts, additions must block both IPV4 and IPV6.

              We also have to realise privacy is dead.

              #148503
              Member
              sybok

                This is a bit of hijacking the original posts; posting anyway:
                1) Put the necessary commands in a script and automate using ‘cron’.
                2) /var/lib/dbus/machine-id is a symlink to the first file, it probably suffices to remove this symlink and create it again do nothing, no need to generate id twice.

                The id makes sense from a corporate point of view – we provide a service (RHEL with systemd) and it helps us to identify the problematic machine.
                But any fixed identifier (incl. MAC address) is a way of fingerprinting.

                • This reply was modified 1 week, 4 days ago by sybok. Reason: Symlink handling
                #148524
                Member
                Xunzi_23

                  Hi sybok, I put the two commands in the post as Mothership Debian has the id in two places.
                  antiX runs fine without the entry in etc /var/lib/dbus/machine-id is needed.
                  deletion.

                  As about privacy.
                  After reading more splurb from mozilla about latest and greatest privacy abiding release, some
                  results of checking where firefox can and often does connect to. Pretty certain the list is
                  incomplete, it may well vary between countrys. Mozilla breaks privacy and EU law by redirecting
                  too, same dirty trick used by there masters at google. I block IPV6 too.
                  Further input welcome.

                  #Mozilla
                  0.0.0.0 mozilla.org
                  0.0.0.0 autopush.prod.mozaws.net
                  0.0.0.0 crash-analysis.mozilla.com
                  0.0.0.0 crash-reports.allizom.org
                  0.0.0.0 crash-reports.mozilla.com
                  0.0.0.0 crash-stacks.mozilla.com
                  0.0.0.0 detectportal.firefox.com
                  0.0.0.0 detectportal.prod.mozaws.net
                  0.0.0.0 detectportal.firefox.com-v2.edgesuite.net
                  0.0.0.0 a1089.dscd.akamai.net
                  0.0.0.0 incoming.telemetry.mozilla.org
                  0.0.0.0 profile.accounts.firefox.com
                  0.0.0.0 accounts.firefox.com
                  0.0.0.0 topsites.services.mozilla.com
                  0.0.0.0 firefox.settings.services.mozilla.com
                  0.0.0.0 location.services.mozilla.com
                  0.0.0.0 push.services.mozilla.com
                  0.0.0.0 contile.services.mozilla.com
                  0.0.0.0 getpocket.cdn.mozilla.net
                  0.0.0.0 spocs.getpocket.com
                  0.0.0.0 firefox-settings-attachments.cdn.mozilla.net
                  0.0.0.0 content-signature-2.cdn.mozilla.net
                  0.0.0.0 detectportal.firefox.com
                  0.0.0.0 safebrowsing.googleapis.com
                  0.0.0.0 clients2.googleusercontent.com
                  0.0.0.0 sync-1-us-west1-g.sync.services.mozilla.com
                  0.0.0.0 ciscobinary.openh264.org
                  0.0.0.0 redirector.gvt1.com
                  0.0.0.0 doh.xfinity.com
                  0.0.0.0 private.canadianshield.cira.ca
                  0.0.0.0 services.addons.mozilla.org
                  0.0.0.0 contile-images.services.mozilla.com
                  0.0.0.0 token.services.mozilla.com
                  0.0.0.0 spocs.getpocket.com
                  0.0.0.0 feedback.mozilla.org
                  0.0.0.0 content-signature-2.cdn.mozilla.net
                  0.0.0.0 safebrowsing.googleapis.com
                  0.0.0.0 tracking-protection.cdn.mozilla.net
                  0.0.0.0 location.services.mozilla.com
                  0.0.0.0 redirector.gvt1.com
                  0.0.0.0 clients2.googleusercontent.com
                  0.0.0.0 contile-images.services.mozilla.com
                  0.0.0.0 firefox.settings.services.mozilla.com
                  0.0.0.0 location.services.mozilla.com
                  0.0.0.0 content-signature-2.cdn.mozilla.net
                  0.0.0.0 locprod1-elb-eu-west-1.prod.mozaws.net
                  0.0.0.0 d2nxq2uap88usk.cloudfront.net
                  0.0.0.0 ec2-52-35-220-92.us-west-2.compute.amazonaws.com
                  0.0.0.0 ec2-34-242-33-12.eu-west-1.compute.amazonaws.com
                  0.0.0.0 server-13-33-240-52.hel50.r.cloudfront.net
                  0.0.0.0 shavar.services.mozilla.com
                  #optiomal 0.0.0.0 support.mozilla.org
                  #optiomal 0.0.0.0 addons.mozilla.org
                  #optional 0.0.0.0 versioncheck.addons.mozilla.org
                  versioncheck can be toggled off for each addon from Firefox 115 ESR onwards,
                  Many thanks to iznit for pointing that out.

                  uBlock direct download is available from:
                  https://github.com/gorhill/uBlock/releases
                  My only other sometimes added extension on Firefox is Privacy Badger
                  https://www.eff.org/files/privacy-badger-latest.xpi

                  Adding below to the distribution folder PLUS using Arkenfox user.js
                  Brings ff to about same level as LibreWolf.

                  {
                    "policies": {
                      "DisableAppUpdate": true,
                      "DisableFirefoxAccounts": true,
                      "DisableTelemetry": true,
                      "DNSOverHTTPS": {
                        "Enabled": false,
                        "Locked": true
                      },
                      "DontCheckDefaultBrowser": true,
                      "NetworkPrediction": false,
                      "PromptForDownloadLocation": true,
                      "SearchEngines": {
                        "PreventInstalls": true
                      },
                      "SearchSuggestEnabled": false,
                      "NetworkPrediction": false
                    }
                  }
                  
                  • This reply was modified 1 week, 4 days ago by Xunzi_23.
                  #148537
                  Member
                  iznit

                    Thank you sybok, agree it would be nicer to link previous posts,
                    personal preference would be we had a sticky Browser and privacy
                    theme, so much useful information is buried in the depths of the forum.

                    @anticapitalista Please consider creating a “Web Browsers and Internet Privacy” subforum under General. Xunzi_23 and sybok could stand as as moderators and manage its content.

                    #148539
                    Member
                    iznit

                      @Xunzi_23 please edit the list in July 11 post to remove the trailing slashes from these HOSTS file entries

                      0.0.0.0 safebrowsing.googleapis.com/
                      0.0.0.0 tracking-protection.cdn.mozilla.net/
                      0.0.0.0 location.services.mozilla.com/
                      0.0.0.0 redirector.gvt1.com/
                      0.0.0.0 clients2.googleusercontent.com/
                      0.0.0.0 contile-images.services.mozilla.com/

                      Also, for general use, it’s probably counterproductive to advise blocking these
                      0.0.0.0 support.mozilla.org
                      0.0.0.0 addons.mozilla.org
                      So consider at least moving those to the end of your list and inserting a # comment line right above them stating “optional, not recommended for general use” or something like that.

                      Encouraging general users to block “versioncheck.addons.mozilla.org” is probably counterproductive also. Maybe that should be flagged as optional along with the other two. I write “maybe” because at firefox 115 ESR we can toggle off “automatically check for updates” for each individual installed addon, and I have done so and have never observed firefox attempting to contact that domain (((which leads me to believe it’s not using that domain to check updates for any “hidden” addons))).

                      #148545
                      Member
                      Xunzi_23

                        iznit, many thanks for your expertise and valued advice.
                        previous post edited, hope I did not miss anything, tired today :-).

                        “Web Browsers and Internet Privacy” subforum under General would be very helpful
                        in keeping information accessible.

                        The subject of trying to keep ourselves safe and retaining good functionality and site compatibility
                        is huge and even just concentrating on Firefox the goalposts move very rapidly.

                        Sybok is correct in pointing out it would be helpful to keep a trail by linking previous posts,
                        reality is I sometimes can not find older posts myself even after using different meta search
                        engines. Forum search is mostly not helpful..

                        Firefox and LibreWolf are the only viable, and fully accepted alternative to chrome based products.
                        Google is pushing ads in every possible manner, trying to make ad blockers ineffective and
                        accidentaly finding ways to prevent you tube usage in those browsers, we have a lot of change to
                        keep up with. Another challenge or more annoyance will be Inline Advertizing.

                        Hopefully Peer tube gets better fast.

                        Further related subject
                        https://www.antixforum.com/forums/topic/mozilla-using-remote-settings-scumbags/#post-114302
                        I was rather angry my profile and settings were remotely reset/negated.

                      Viewing 10 posts - 1 through 10 (of 10 total)
                      • You must be logged in to reply to this topic.