Jump to content
  • uMatrix has an unfixed vulnerability: here is a workaround


    Karlston

    • 515 views
    • 3 minutes
     Share


    • 515 views
    • 3 minutes

    uMatrix has an unfixed vulnerability: here is a workaround

    Raymond Hill's uBlock Origin and uMatrix browser extensions are popular content blockers. While uBlock Origin is maintained actively by Hill, uMatrix development ended in 2020. A fork, nMatrix, designed for the Pale Moon browser, is still maintained.

     

    The uMatrix browser extension is still in use. Google's Chrome Web Store, on which it is still listed, reveals that it has more than 100,000 users, a figure that can be higher as Google does not echo total number of users to the public. The Firefox extension, for which I wrote a guide in 2017, has more than 29,000 users at the time of writing.

     

    umatrix interface

     

    A security researcher discovered a vulnerability in all three extensions. The vulnerability exploits code used by the extensions strict blocking feature. Strict blocking prevents all connections to resources that match the filter. Default installations of the extensions use filter lists that include strict blocking filters.

     

    An attacker may exploit the vulnerability to get the extension to crash or cause memory exhaustion according to the researcher. When the extension crashes, users are left without protection until it is reloaded.

     

    It requires that users become active, e.g. by clicking on a link.

    The strict-blocking warning page is only displayed when direct navigations are blocked. This means that malicious hosts would need to induce users to trigger a navigation somehow, such as by clicking a link. iframes are classified as sub-documents and do not trigger the warning page, which should make it harder for malicious hosts to exploit this vulnerability in the background.

    The researcher tested a proof of concept vulnerability against Chrome, Firefox and Pale Moon. Only the Chrome extension crashed during tests.

     

    Raymond Hill was notified before the security issue was disclosed publicly, and a fix was created for uBlock Origin within one day and published the next. The maintainer of nMatrix published an update to the Pale Moon add-ons site that fixed the issue in the extension as well.

     

    The uMatrix extension is not maintained anymore, which means that it is still vulnerable and will remain so.

     

    How to mitigate the vulnerability

     

    The researcher notes that users need to disable all filter lists on the "assets" tab of the uMatrix dashboard. Subscribing to malware or multi-purpose filter lists may reduce the impact the change has on the blocking of the extension.

    To mitigate the vulnerability for now, users can disable uMatrix’s strict-blocking support by unselecting all of the filter lists on the "Assets" tab in the uMatrix dashboard. They can also enable all of the "Malware domains" and "Multipurpose" filter lists in uBlock Origin to help offset the lost filtering coverage.

    Closing Words

    With development having ended some time ago, it may be time to move to a different extension for content blocking, especially since it has an unpatched vulnerability now. While it seems unlikely that it is going to be exploited in large scale attacks, it is still something that users need to be aware of.

     

     

    uMatrix has an unfixed vulnerability: here is a workaround


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...