D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
A vulnerability has been identified in the uBlock Origin system for blocking unwanted content that could crash or run out of memory when navigating a specially crafted URL if the URL falls under the "strict blocking" filters. The vulnerability only manifests itself when you go directly to the problematic URL, for example, when you click on a link.
The vulnerability was fixed in the uBlock Origin 1.36.2 update . The uMatrix add-on is also affected by the same problem, but its maintenance has been discontinued and updates are no longer released . There are no workarounds in uMatrix (it was originally suggested to disable all strict blocking filters through the "Assets" tab, but this recommendation was deemed insufficient and creates problems for users with their own blocking rules). In ηMatrix , a fork of uMatrix from the Pale Moon project, the vulnerability was fixed in the 4.4.9 release.
A strong blocking filter is usually defined at the domain level and is meant to deny all connections, even if you follow a link directly. The vulnerability is caused by the fact that, when navigating to a page that is eligible for a strict blocking filter, a warning is displayed to the user, which provides information about the blocked resource, including the URL and request parameters. The problem is that uBlock Origin parses the request parameters recursively and adds them to the DOM tree without regard to the nesting level.
When handling a specially crafted URL in uBlock Origin for Chrome, it is possible for the browser add-on to crash. After the crash, until the process with the add-on is restarted, the user is left without blocking unwanted content. Firefox is running out of memory.
[1]https://opennet.ru/55498-ublock/
[2]https://www.opennet.ru/opennews/art.shtml?num=55498
[3]https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc
The vulnerability was fixed in the uBlock Origin 1.36.2 update . The uMatrix add-on is also affected by the same problem, but its maintenance has been discontinued and updates are no longer released . There are no workarounds in uMatrix (it was originally suggested to disable all strict blocking filters through the "Assets" tab, but this recommendation was deemed insufficient and creates problems for users with their own blocking rules). In ηMatrix , a fork of uMatrix from the Pale Moon project, the vulnerability was fixed in the 4.4.9 release.
A strong blocking filter is usually defined at the domain level and is meant to deny all connections, even if you follow a link directly. The vulnerability is caused by the fact that, when navigating to a page that is eligible for a strict blocking filter, a warning is displayed to the user, which provides information about the blocked resource, including the URL and request parameters. The problem is that uBlock Origin parses the request parameters recursively and adds them to the DOM tree without regard to the nesting level.
When handling a specially crafted URL in uBlock Origin for Chrome, it is possible for the browser add-on to crash. After the crash, until the process with the add-on is restarted, the user is left without blocking unwanted content. Firefox is running out of memory.
[1]https://opennet.ru/55498-ublock/
[2]https://www.opennet.ru/opennews/art.shtml?num=55498
[3]https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc