Mozilla Firefox 13 Set to Improve Security with ASLR
From the 'Random is Good' files:
Add-ons have long been the weakest link in the chain of Firefox security. In Firefox 13, Mozilla is to close the gap a little tighter by forcing add-ons to do something they should have been doing all along:
Implement ASLR (Address Space Layout Randomization).
ASLR is an important (and common) way to help prevent memory attacks, which more often than not are used as the basis for many modern attack vectors. If memory is always in the same register (as opposed to being randomized), it's easy to target use-after-free type attacks.
As of Firefox 13, ASLR will be mandatory for add-on developers to include. As such, Firefox 13 will not load any XPCOM component DLLs that aren't running with ASLR.
Why that's important to note is that implementing the ASLR gate will likely break a pile of add-ons that aren't implementing ASLR today. Firefox 13 is currently set for release on April 24th 2012.
That change will also mean that add-ons built for Firefox 13 will NOT all necessarily work on the Firefox ESR Enterprise release. Firefox ESR is based on Firefox 10 which does not have the ASLR requirement for add-ons. It will likely take until 2013, when the next major release of Firefox ESR is out until the ASLR requirement comes to enterprise users.
Yes, I think this will lead to some confusion, but not much. It means that add-ons devs that only care about the enterprise have time (as they can just focus on the non-ASLR version). If they care about all Firefox users, they can build to the new specs, but that doesn't necessarily mean two versions of the same add-ons, as the ASLR requirement *might* not always break backwards compatibility.