Sampei.Nihira

What was the problem in the WebP library? The root of the issue lies within the "BuildHuffmanTable" function which was first introduced in 2014, the function is used to verify if the data is accurate. The vulnerability can occur when more memory is allocated if the table isn't sufficiently large for valid data. The commit that introduces the fix can be seen here. The original code optimized a Huffman decoder that uses a common technique: it reads several bits ahead to determine how many bits to consume and what symbol to decode. The older version utilized lookup tables for short symbols, while longer ones required a more complex graph traversal. The newer version streamlined this process by employing an array of lookup tables. Each entry in this table contains details about bits and values, and if the number of bits surpasses a certain limit, the value is interpreted differently. The new version determined the maximum number of entries by counting symbols. However, because the Huffman tree comes from an untrusted source, situations could arise where the number of bits is excessively large. The VP8 Lossless allows up to 15 bits, which means the largest table can have many entries, more than it should. Interestingly, while there was a mode in the code to only calculate the table size, it was not used, and a fixed size was assumed, leading to potential overflows. The reason behind these changes was to optimize the Huffman decoding step, a crucial and computationally intensive part of compression formats. Though the optimization technique is recognized, longer codes are generally not given priority because they don't often appear. The original code update argued against this belief, and it was accepted. The issue highlighted isn't something that just using a memory-safe language could prevent. It's a unique scenario where avoiding overflow checks is desired. However, while the actual solution didn't change the function, ensuring the safety of the tight loop remains critical. Wrong justification for such safety measures can lead to problems. Google has confirmed the existence of an exploit for CVE-2023-4863 in the wild. If the unpatched browser is put on the Anti-Exploit list, it almost certainly turns out to be protected. Theoretically if a malformed web page is encountered with the exploit the web browser should shut down. At least this would be the behavior with WD exploit protection.

When I provided Roytam1 with Thunderbird's OAuth authentication support code, it was possible to get it into MailNews. My area is IT Security,you have to ask the web browsers developers.

For you who use browsers that are probably not already patched, I am including the fix that is valid for Chromium-based browsers: https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a https://github.com/webmproject/libwebp/releases/tag/v1.3.2 For Firefox: https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566 P.S. Pale Moon has already fixed this vulnerability.

If available,try using PowerShell.

Thank you for your answers. Please try your methods with twitter which is very stubborn in adding search engines. @NotHereToPlayGames Can you explain how to perform a test with Edge? TH.

Thank you for your response. There is also this list to put in uBlock Origin: https://www.i-dont-care-about-cookies.eu/abp/ But it doesn't solve the problem. In the case I could have extracted the rules that prevented the consensus display. In chromium-based browsers you can block Google.com/en cookies and the Google translator web page consent is also prevented. In Firefox there is a different handling with cookies,probably introduced with Total Cookie Protection. If you block third-party cookies (you can do it in custom) you give up Total Cookie protection. But even doing that I couldn't. This is not my area of expertise so I need help. I don't use that translator but that's just the way I am,this forcing bothers me. .

Hi to all. Does any forum member know the method to block Google consent also via some rules in uBlock Origin? https://translate.google.com/

There is a problem with FF 113 and W.7. Read the comments: https://www.ghacks.net/2023/05/09/firefox-113-ships-with-security-accessibility-and-av1-improvements/#comments

This question is OT. And I would not usually answer it. I recently returned from a trip to Sicily (3 hours from the city where Giorgio Maone resides) so I will make an exception for you. I would use (but do not use) this extension: https://chrome.google.com/webstore/detail/skip-redirect/jaoafjdoijdconemdmodhbfpianehlon

The rules I have,some time ago,added to uBlock Origin did not prevent the automatic addition of some search engines,so I went back to the extension. I probably don't have the expertise to do this work. Certainly mr. Hill himself could do it (but I know his grumpy nature so he wouldn't). Another candidate who might succeed would be Yuki2718.

It is very simple to check if the blocking rule (inserted in my filters) is working. Open the browser development tools and reload our MSFN forum. In the images below I show you how this is done. Rule up and running: uBO without the blocking rule: Then it is obvious that if you check the API (BrowserLeaks.com - test Features Detection) this is present and working.

For all websites considered 2 years ago. The extension is stopped in its development in April 2021. In this matter,as you know,2 years almost corresponds to the Jurassic period.......

https://blogs.windows.com/windows-insider/2018/02/14/announcing-windows-10-insider-preview-build-17101-fast-build-17604-skip-ahead/

I recently activated this plan that is usually hidden. Info on how to make this change can be found on the net. I also improved the performance (but not at the expense of security) of my web browser,Edge. It is interesting to consider from a survey I created on Wilders Security Forum that only one other user uses this power plan. The majority of users use the recommended power plan.

I have a question. Why do you question (mistakenly) my expertise in security/privacy? You get the opposite purpose. I understand (well) the degree of expertise of others. It would probably be more useful to ask for explanations or to do research on the net. Having clarified the above,the explanation that should not be necessary, the rule I wrote has general validity. Only the rule for whitelisting is obviously specific. Every website that needs a consent rule,then,must be added with the exact same syntax.

Because you don't need a browser extension, moreover outdated,to block SW. A simple rule in uBlock Origin is enough: ||$csp=worker-src 'none',domain=~whitelistthisdomain.com But the biggest problem is understanding when a malfunctioning website needs Service Workers. It is difficult especially if you have subjected the browser to considerable customization.

In Chrome they tell me that ECH activation works. So you don't enter the command line parameter in the correct way. P.S. Or you have not enabled the necessary flags.

More test to verify ECH: https://tls-ech.dev/ If it works in Edge,it also works in Chrome.

I would prefer an updated extension that prevents bookmarks/history/folders from being added to my browser:

Problems for uBlock Origin in the CWS: https://github.com/gorhill/uBlock/releases/tag/1.48.4 UBO in my Edge (Microsoft Store) is already updated to the latest version 1.48.4: I also report that at the Chrome Extensions Detection test: https://browserleaks.com/chrome I have no detection of extensions. P.S. I have no idea if uBlock Origin can be installed in Chromium-based browsers (not Edge) from the Microsoft Store. But personally with respect to Gorhill's advice (switch browser) I would recommend forum members to install the latest version of UBO from Github.

What does it have to do with forgiving you? I replied to you 2 times and I point out to my first reply you even quoted me. Whatever. I also point out to you that I answered your question in full. You, on the other hand, did not write to me that you did what I had graciously told you to do. Not that you have to do it,but at least some education.......

@msfntor Vision problems? Or memory problems?

All those extensions to fingerprinting functionality.

One extension against web fingerprinting. Try disabling all same-functionality extensions. One extension (I recommend uBlock origin) against ads/trackers.

https://www.ghacks.net/2023/03/28/firefox-to-support-windows-7-and-8-systems-well-into-2024-at-least/