Browser Extension uBlock Origin (and uMatrix) DoS with Strict-Blocking Filter and Crafted URL
An Anonymous Coward writes:
uBlock Origin (and uMatrix) DoS With Strict-Blocking Filter and Crafted URL (Archived).
uBlock Origin (uBO) is a browser extension that blocks ads, security risks, privacy risks, and other web annoyances. One of its features is "strict blocking," which prevents all connections-including direct navigations-to resources that match strict filters.
Strict filters are most often used to block sites that perform affiliate redirects, serve malware, or are otherwise undesirable to visit. They are typically applied at the domain level (e.g., googlesyndication.com) and tend to resemble entries in hosts files, though they can also target more specific resources.
Strict blocking works by opening a warning page that provides information about the blocked resource, including its URL and the filter that prevented the resource from loading. The warning page also displays query parameters from the blocked URL to help users bypass redirect tracking.
In earlier versions of uBO, these parameters were parsed recursively and added to the DOM without any depth checks, which could lead to extension crashes and memory exhaustion, depending on the browser and hardware. uMatrix and Matrix, a fork of uMatrix compatible with Pale Moon, share similar code for displaying parsed URL parameters.
Users should upgrade to uBO 1.36.2 and Matrix 4.4.9 to receive fixes for this security vulnerability, which affects the default configurations of both extensions. The uBO Edge extension and the uBO (Legacy) extension have separate release processes and are still vulnerable.
The story source url has Discussion, Vulnerability [Code], Impact and scope, PoCs and so forth.
Read more of this story at SoylentNews.