Microsoft begins Manifest v3 tests in Edge that impacts extensions like content blockers

Martin Brinkmann
Oct 15, 2020
Internet, Microsoft Edge

Microsoft announced today that extension developers are now able to test the new extension manifest v3 in the company's Edge browser.

When Google announced Manifest v3 for extensions back in January 2019, concern was voiced almost immediately over the company's plans. High profile extension creators such as Raymond Hill, best known for his work on uBlock Origin, stated that extensions like his would no longer be usable after the changes landed in Google Chrome. The new API had a limit of 30,000 rules whereas popular filter lists had 70,000 rules or more. Additionally, users can combine multiple filter lists and that would raise the limit even further. Google raised the limit to 150,000 in mid 2019 as a consequence.

Google plans to introduce a new API for content blocking activities in Chrome and deprecate the old one that all content blockers and other privacy and security extensions are using currently.

manifest v3 edge content blockers

Mozilla, and some Chromium-based browser makers such as Opera, Vivaldi, and Brave, reassured users that they would not follow Google's lead on this.

Google implemented Manifest v3 in Chrome Canary 80 which it released back in November 2019. The implementation was primarily designed for extension developers to test their extensions against the new manifest file.

Microsoft announced that the Manifest V3 changes are available in the company's new Edge browser for testing. The changes are available for testing in the Beta and Stable channels of Microsoft Edge.

  • Microsoft Edge 84 Stable -- DNR (Declarative Net Request) API is available.
  • Microsoft Edge 85 Beta -- Header modification support is available.

Microsoft encourages developers to check out Google's Migrating to Manifest V3 document as it provides information needed to migrate extensions to the new Manifest v3.

Microsoft states that the changes won't "compromise the capabilities" of extensions or "reduce the potential that the ecosystem has".  The company believes that most concerns that developers of content blockers and the community raised are resolved or will be resolved before the currently used Web Request API is deprecated.

Manifest V3 introduces new security concepts that improve user privacy and security. Extensions may no longer use remotely hosted code, controls are introduced to allow or restrict extension access to websites at runtime, and extensions will have the same permissions as the page they are injected into. Google has yet to decide on the Manifest v2 end of life date.

Now You: Is Manifest v3 still the end of content blockers? What is your take on the development?

Microsoft begins Manifest v3 tests in Edge that impacts extensions like content blockers
Article Name
Microsoft begins Manifest v3 tests in Edge that impacts extensions like content blockers
Microsoft announced today that extension developers are now able to test the new extension manifest v3 in the company's Edge browser.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. ULBoom said on October 17, 2020 at 3:20 am

    ‘reduce the potential that the ecosystem has’

    Oh, OK, that makes me feel much better. Better because “experience” was left out.

    Dangling preposition and all, it means exactly nothing so I can make it say whatever I want.

    Trust a company that constantly writes claptrap such as this? Not even a little bit, I want my ecosystem’s potential raised!


  2. John C. said on October 16, 2020 at 8:31 am

    “Microsoft states that the changes won’t ‘compromise the capabilities’ of extensions or ‘reduce the potential that the ecosystem has’.”

    What both Google and Microsoft are hoping is for ad-blocking extension developers to quit maintaining their extensions due to exhaustion. Continually switching horses in the middle of the stream the way the two “tech giants” are doing will accomplish just that.

    “Do no evil” truly has become “We have a new policy”.

    1. NickP said on October 16, 2020 at 8:08 pm

      M$ has always been evil. They have invented cancer in software (linux), they tried to lock the internet when they had the power to do it with ActiveX, Silverlight and ‘this site works with Internet Explorer’. Google is the new evil chilld on the block, they learned from the best.

  3. Mike W. said on October 16, 2020 at 1:15 am

    Probably worth noting that Vivaldi, Brave, & Opera are not going to stand in the way of this either. Vivaldi has come out and said that they won’t reverse the change in the Chromium code when the switch is flipped, which is why they implemented a built-in content blocker (that works like crap right now, but at least they have some time to tweak it).

    I expect Opera is the same, where one day uBlock Origin may not work, but they will point you to the built-in version. Brave may hold out longer since they seem the most dedicated to it, but I still think in the end they will give up the ghost and point people to Brave Shields as a suitable replacement.

    1. Anonymous said on October 16, 2020 at 5:54 am

      Brave’s adblocker only needs few features to be on par with what uBlock and others offer, it will be the first chromium browser to have CNAME filtering aswell and reading their past blog posts is clear the research they are doing to improve the efficiency and performance of the brave adblocker compare to what other adblockers do, will be beneficial for anyone. But Brave uses the same list uBlock uses, so what it blocks should be almost identical to uBlock. Sometimes it even blocks more than it should, and that’s what they should tweak and fix so people don’t have to turn it off.
      But why would anyone want to use uBlock unless you want the few extra features? most would be fine with just builtin Brave adblocker so nothing to lose there, it is not like uBlock should be protected or anything if companies can do a similar or better job like Brave promises they will.

      That’s the price they have to pay for choosing Chromium after trying Gecko, 4 years ago or so. But at least Brave has a decent adblocker not to worry if manifest v3 happens or not. the ones that should worry is uBlock since we all know Mozilla will go this route eventually since they want to be google so bad or maybe it is the google money they get.

      1. Mike W. said on October 16, 2020 at 10:53 am

        Brave ain’t exactly saints either in taking Peter Thiels money or the other VC bucks they take in to keep the lights on. Google sucks. Peter Thiel sucks. Until the model for funding web browser development changes, it’s always going to be a case of bigger web browser development companies needing to wade into the mud a little bit to keep the lights on and staff paid.

      2. Iron Heart said on October 16, 2020 at 12:31 pm

        @Mike W.

        I think you can’t escape the need for money once your organization reaches a certain size. Vivaldi or Brave are browsers that modify Chromium in significant ways, and in order to maintain their changes, they need a developer team, and the developers want to get paid.

        If commercial interest being involved is a problem in general, one has no choice but to use hobby projects, e.g. Ungoogled Chromium. UC is being developed by a single person in his free time, however, that also means that the scope of changes which can be introduced to Chromium here is limited. Wider changes require more maintenance, requiring more developers.

        As for Peter Thiel, he is one of the investors of Brave Software, though it should be noted that he is invested in a great many things. The BAT ecosystems is one of the few utilizations of crypto tokens that actually make sense and have potential to grow, I think Thiel invests in that more than in anything else.

        I also think we should separate the art from the artist; as long as there are no changes to Brave that are anti-user, I give it the benefit of the doubt. Of note: I did the same with Firefox, I used it for quite a while despite not being fully convinced (to put it mildly) of their leadership or the way they funded themselves since forever, I only decided to drop it when blatant anti-user changes took place. Would do the same with Brave if it ever comes down to it.

  4. Anonymous said on October 16, 2020 at 12:44 am

    “Mozilla, and some Chromium-based browser makers such as Opera, Vivaldi, and Brave, reassured users that they would not follow Google’s lead on this.”

    What they said, “We have no immediate plans to remove blocking webRequest” does not mean that they won’t follow Google’s lead on this later.

  5. Anonymous said on October 15, 2020 at 7:48 pm

    >Manifest V3 introduces new security concepts that improve user privacy and security. Extensions may no longer use remotely hosted code

    This is ile! There is nothing preventing this “concept” already with Manifest v2 as can be clearly seen on Firefox AMO.

    1. No ile said on October 30, 2020 at 6:32 pm

      It isn ile.

    2. Iron Heart said on October 15, 2020 at 9:05 pm


      There are other security improvements in Manifest V3 as well, one example: Extensions can no longer directly intercept traffic.

      It’s not limited to what you’ve mentioned.

  6. Nelly Uche said on October 15, 2020 at 2:38 pm

    As should be expected. You just can’t go around throwing flares because Microsoft has taken legitimate steps in business _ something many other companies out there have been lauded for.
    I must say, though, it might prove a bit of too much bite to chew for a lot of people.

  7. Anonymous said on October 15, 2020 at 2:05 pm

    This is why having one browser engine dominant is a bad thing. Hopefully US Justice Department forces Google to sell Chrome and their advertising business. That way Chrome developers can no longer be arrogant with these idiotic”security” improvements.

    1. Anonymous said on October 15, 2020 at 4:02 pm

      this isn’t google’s fault too lmao. it’s 100% microsoft’s. microsoft could avoid it by adding an adblocker like brave, vivaldi and opera have done. they LIKE v3. they LOVE v3.
      btw, google is a small fish compared to microsoft, amazon, apple. google value is 1 billion when microsoft’s is 1,5 billion and apple 1,7 billion.
      maybe microsoft should be split lmao, office should be a seperate company to finally become available in all operating systems and to be sold in reasonable prices.

      1. Mike W. said on October 16, 2020 at 3:20 am


        The content blockers found in Vivaldi & Opera are trash. Brave is better, but it’s still behind uBlock Origin on many fronts. Microsoft adding a content blocker means diddly-squat if it’s a crap blocker.

        Besides, the future of content blocking on Chrome & Edge likely looks like it does on Safari. Not great, nowhere near as good as uBlock, but some development team will be able to come up with a solution that works decently enough (see AdGuard for Safari).

    2. Iron Heart said on October 15, 2020 at 2:53 pm


      There are two fundamental things wrong with this comment:

      1) Chrome is actually based on Chromium, which is an open source project. Anyone can take the code of the latter and modify it as they please. This is what other Chromium-based browsers like MS Edge, Vivaldi, Opera, Brave etc. do. Google potentially splitting Chrome would not necessarily mean the end of Chromium’s dominance, e.g. MS Edge is currently rising. Also note that splitting Chrome from Google would not necessarily ban Google from contributing to Chromium, meaning they would still influence its direction.

      2) A separate company developing Chrome would have to fund itself somehow, most likely via search engine royalties coming from, you guessed correctly… Google. That’s how Firefox is currently being funded, that’s how a “Chrome company” separate from Google would be funded.

      1. Anonymous said on October 15, 2020 at 10:37 pm

        Overtime maintaining a fork version of Chromium gets complicated.

      2. Iron Heart said on October 16, 2020 at 9:53 am


        > Overtime maintaining a fork version of Chromium gets complicated.

        They won’t necessarily have to fork upstream. All the other Chromium browsers have to do is to keep their native adblockers working, I suspect that this will only require minimal modifications if any. Remember that the native adblockers in those browsers have nothing to do with extension APIs.

  8. Bingo said on October 15, 2020 at 12:11 pm

    I don’t understand why there are people who thought that Microsoft is not going to do this.
    Microsoft is an advertising company too.
    People who recommend Edge over Chrome for privacy reasons are stupid or Microsoft fanboys.

    1. Mike W. said on October 16, 2020 at 1:11 am


      I’m not a Microsoft fanboy, nor do I think I am stupid, but I do fall in the group that recommends Edge over Chrome is those are your only 2 choices. Which, in many corporate environments, is simply the case.

      Are there better options for privacy (Firefox, Brave, etc.)? Sure, but I know a lot of IT departments will only allow people to use Chrome or Edge and in that scenario, I do trust Microsoft (every so slightly more) over Google when it comes to privacy.

      At the end of the day it’s really a choice of getting punched in the nose or the mouth though.

      1. Bingo said on October 16, 2020 at 8:21 am

        You trust Microsoft more because you are a fanboy or because you are so depentant of Office and Windows and try to fool yourself.
        Microsoft faces a lawsuit for giving access of Office365 Business accounts to Facebook.
        Nor even Google has gone that low.

      2. Mike W. said on October 16, 2020 at 10:49 am

        Comparing Google and Microsoft is a fool’s errand. Google just got caught this week giving search history data about users to police in the US. If we go down this road it will take all day and nobody will be better off. Neither Google or Microsoft are your friends and I never claimed otherwise, but I stand by that if given the choice I would still use Edge over Chrome. But, like I said it’s really a choice of getting stabbed or shot, ideally you would choose neither.

      3. DaveNavas said on October 16, 2020 at 9:54 pm

        so basically you are using the same browser and getting tracked by both Microsoft and Google at the same time, lol

      4. Bingo said on October 16, 2020 at 11:27 am

        And 1 last thing Mike I forgot, giving data to the police is the same like selling data to Facebook? Seriously?
        Everybody should give the data to the police if police asks them, what do you think Google, Microsoft etc are? An offshore in the Carribean?

      5. Mike W. said on October 17, 2020 at 5:02 am


        Facebook is the scum of the earth and that company shouldn’t exist. But Facebook cannot show up at my door and detain me because the police department did a phishing expedition where they asked for the IP addresses of every Google user who searched for a specific property in the last 7 days.

        Debating who is more evil Microsoft or Google is a waste of your time and a waste of my time. Clearly you place more trust in Google than I do, but at the end of the day I have made clear that I sure as hell don’t trust either company and try to provide them with as little data as possible.

      6. Bingo said on October 17, 2020 at 8:03 am

        @Mike W.
        I don’t trust both. They both are privacy nightmares.
        There is no middle ground on this, as a company you are privacy focused or not.
        Of course debating to who is more evil makes no sense, I am not the one trying to portray Microsoft as less evil, you are.
        Both are privacy nightmares and both should be avoided equaly if you don’t want to be tracked.
        The police department should come to your door if you are involved in illegal activities.
        Microsoft has no right to give my data I agreed to give to them to other private companies, that’s the definition of privacy invasion and misuse of my data.
        It’s privacy invasion and illegal, that’s the reason there is a lawsuit pending against them,

      7. Bingo said on October 16, 2020 at 11:21 am

        Stand to Microsoft as much as you like, not my problem.
        The truth is that they both have nothing to do with privacy and sell ads.
        Why would you use Edge? We are talking about privacy here.
        There is nothing objectively better privacy wise in Edge, except your “trust” to Microsoft.

      8. Mike W. said on October 17, 2020 at 4:55 am


        Because in most enterprise environments you have 3 options for web browsers. Chrome, Edge & Firefox. Firefox is slowly getting pushed out in some corporate environments in favor of Chrome or Edge. I have made it clear that I was referencing corporate environments from the very start and how most enterprises trust (fairly or unfairly) Microsoft more than Google.

        I don’t understand what you aren’t getting about my point. If someone only had 2 web browsers to choose from Edge or Chrome, I think it stands to reason that the company that makes 99% of their income from enterprises is going to be considered more trustworthy in that environment than a company that makes 99% of their income from targeted ads.

      9. Iron Heart said on October 16, 2020 at 11:55 am


        I agree that nobody should use Edge or Chrome, unless there is no other choice (as is the case in most companies). If you use any of the two, consider your privacy to be invaded no matter what. No private person should be using them, but what can you do?

        @Mike W.

        Edge is better than Chrome on Android by virtue of having an adblocker. On the desktop, both are equally horrible. I understand though that sometimes people have no choice but to use them, especially in professional environments.

    2. Allwynd said on October 15, 2020 at 2:04 pm

      I still laugh when I see people who praise Edge as the new king of the browsers… it’s still quite funny. xD

      I realized that it’s going to be intrusive trash when I signed in for Sync and without asking me it changed my Local Windows 10 account into a Microsoft Windows 10 account. After that I uninstalled Edge and had to migrate to a new Local Windows 10 account, because it was irreversible.

  9. Paul(us) said on October 15, 2020 at 11:36 am

    Its quit clear that like always Google chairholders want the the hole of the advertisement market and how better to control it than with your own content blocker. I cant find the prove (Yet!) but I am starting to think that adblock, is in Google there (Chariholders) hands.

    That its for the user much more infections dangerous is maybe even there target because maybe Google has probably a economic pact with Microsoft to change the o.s. from laptop, desktop, etc to a cloud envouriment completly.

    Those thought just come because of the behavour from multinational coperate behavoir (Like Google and Microsoft) over more than thirty year.
    Fore more insights read the ideas from Rutger Bregman:

  10. Anonymous said on October 15, 2020 at 10:33 am

    Google and MS and others want to unlock the remaining 10-20% of the market which are currently using ad-block solutions.

    So what they do one the one hand is destroying the old APIs, and on the other hand they make ads a bit less annoying and more secure.

    Ad-Blockers are not going extinct but addons like ABP will get more users, which will help google.

    There will always be a minority who uses sophisticated solutions, and maybe in the future those will at least be left alone.

  11. asd said on October 15, 2020 at 10:16 am

    While this is sad news, I’m gonna continue to Edge. I’ll probably only return to Firefox if the adblock situation becomes untenable.

  12. Yuliya said on October 15, 2020 at 9:49 am

    I don’t use any content blockers, all are terrible at this point. My OS deals with all the filtering. It’s way faster with no performance penalty.

    1. John said on October 15, 2020 at 10:45 am

      What OS are you using?

      1. Yuliya said on October 15, 2020 at 1:16 pm

        Windows LTSC 1809

      2. Robert Morris said on October 15, 2020 at 12:56 pm

        A pirated version of LTSC, probably.

      3. John said on October 16, 2020 at 8:55 am

        @Robert Morris Pirated? Lol, there is no “legal” version, because it is only available for businesses. :)
        @Yuliya you know it is illegal to use this version for non-businesses? What if MS will block it?

      4. Jack said on October 30, 2020 at 6:30 pm


        How can you say that Yuliya has pirated Windows? You don’t know the details about her licence and business.

  13. Anonymous said on October 15, 2020 at 9:35 am

    Microsoft following and copying google at their worse. In no time microsoft edge will be as bloated and as resource-heavy as chrome.

    1. Allwynd said on October 15, 2020 at 2:00 pm

      Except that Chrome is neither bloated or resource-heavy. That was probably somewhat true around 2013-2015 when Chrome had a lot of leftover code that caused it to use more RAM, but around 2016-2017, they did some source code clean up to improve its performance and reduce resource usage by around 30%. I used Chrome at the time and even before and after this change, I never experienced Chrome being slow or using too much resources.

      Nowadays it uses as much as Firefox or even less than it. This myth about Chrome being a resource hog needs to end. The real problems of Chrome are that they are going down the path of Firefox where they think they can decide what is good for their users and start removing useful features or change them to be less useful or introduce ones that nobody uses.

      With Chrome 86, they started blocking “unsafe downloads” and that was the reason I stopped using Chrome and moved to Vivaldi. If this V3 Manifest makes extensions like Nano Adblocker, Nano Defender, Privacy Badge and uBlock Origin stop working properly, then I don’t know what I’m gonna do. I hope that browsers like Vivaldi and Brave will hold on and not implement these things, but if they are eventually forced and extension developers can’t do anything to bypass this, it’s going to get really messy in the future.

      And I will not tolerate using the web and seeing ads so if there are no solutions, I will outright reduce my browsing to a minimum.

      1. Anonymous said on October 16, 2020 at 2:36 am

        You mention here Nano Adblocker/Defender.
        Are you aware that recently the author has left his extensions and transferred the ownership to unknown people, without informing his users?

        Quite some people are pretty angry about this betrayal.
        So Nano is unsafe and history, back to uBlock Origin !!

      2. Iron Heart said on October 16, 2020 at 9:29 am


        Yep, the developer sold out very recently and Nano Adblocker + Nano Defender, as well as all related filter lists, CAN’T BE RECOMMENDED ANYMORE. I didn’t know this at the time of writing above comment. I won’t recommend them anymore from this day forward. Shame on the sellout developer who puts his users at risk!

      3. Barton said on October 15, 2020 at 6:01 pm

        @Allwynd How could you say that Chrome isn’t bloated nor resource heavy? Go check how many unnecessary stuff running in the background even after you close the browser.

      4. ULBoom said on October 17, 2020 at 2:58 am

        Find all the 500 or so (/s) caches in Chromium, make a bat file and place it on your desktop to clear them whenever. Make a copy, take ownership and block System’s access since Windows loves to obliterate bat files. Chromium does not clear caches at close even if set to do so, as FF does, only after it reopens and scours your history first.

      5. Iron Heart said on October 15, 2020 at 2:28 pm


        Adblocking extensions will become redundant thanks to internal adblocking improving. System-wide solutions like AdGuard will also continue to work. No idea about Privacy Badger, though I see little point in it anyway, as most of the things it blocks should already be on some rule list of your adblocker (internal or extension).

      6. DDearborn said on October 15, 2020 at 3:30 pm


        Your assertion that adblocking extensions will be redundant is illogical in the face of the facts. And frankly, I am baffled when someone suggests that the likes of Microsoft and Google will ever stop spying on, stealing data from and manipulating users (or allowing other paying 3rd parties to do so) given the long, long, long and sordid history of the likes of Microsoft and Google committing massive and incredibly invasive violations of consumer privacy as a matter of routine.

        It should be painfully obvious to all that primary purpose of Manifest V3 is to further limit/handicap the users ability to override the browser and thus deprive them of another key layer of privacy protection which is currently beyond their control to block.

      7. Iron Heart said on October 15, 2020 at 4:25 pm


        But they ARE redundant already. Brave, which is what I am using, has a built-in adblocker already. I have uBlock Origin installed here still, for the sole reason of uBlock Origin having custom lists, which Brave still lacks. Once the Brave devs add this, I can drop it. Hardly has anything to do here anyway. The same would be true for the built-in adblockers of Vivaldi, Opera, Bromite, or what have you.

        I did not suggest that Google or MS will stop spying on users, that would be a ridiculous notion. And obviously Manifest V3 is meant to limit adblockers, HOWEVER, that’s about all they can do about it. There is no real way they can hamper native adblockers which are not extensions (like those included in the browsers mentioned above), or system-wide ones like AdGuard, or network-wide ones like Pi-Hole. All the aforementioned methods, especially native adblockers of various browsers, will and are making adblock extensions redundant, which is why crippling their APIs will not really limit our ability to block stuff permanently – it just limits ONE of MANY methods we have at our disposal.

      8. Allwynd said on October 17, 2020 at 8:00 am

        @Iron Heat

        Unless Brave and Vivaldi’s built-in content blocker become better, I will have to rely on extensions. For the time being, the ones in Vivaldi and Brave do not properly block all ads or pop ups that appear. I can’t rely on just them knowing that there are options for more thorough blocking.

        If Manifest V3 makes extensions not work properly, people will be forced to rely on other solutions, but the ones in Brave and Vivaldi are hardly decent ones. They do as much job as every browser on Android that boasts that they block ads, yes, they block like 60% of the ads, but that’s not enough.

      9. Iron Heart said on October 17, 2020 at 11:33 am


        I’ve just checked my uBlock Origin stats and it turns out it has very little to do next to Brave’s adblocker. I suggest you do two things:

        1) Go to brave://settings/shields and set the ad & tracker blocking to “Aggressive” (this will also filter out 1st party ads, “Standard” will only filter out 3rd party ads).

        2) Go to brave://adblock/ and subscribe to all lists you see there.

        I achieve very good results with that, and only keep uBlock Origin around for additional filter lists (e.g. “I don’t care about cookies”). Once Brave adds the option to use one’s own filter lists, I’ll drop uBO.

        In Vivaldi, just add more filter lists to the internal adblocker, the same ones that uBlock Origin uses would probably be good. You can get them here:

  14. ShintoPlasm said on October 15, 2020 at 9:14 am

    At this point in time, there are several credible alternatives to the main Chrome browser which are not affected by this change: Vivaldi, Brave, Opera. EdgeC could have been on that list, but it looks like Microsoft’s support for ad- and tracker blocking is half-hearted at best. I just wish Google weren’t so obstinate, but there you go…

  15. Steve said on October 15, 2020 at 9:10 am

    Every time “Manifest v3” term appears it should be mandatory that AC/DC “Highway to Hell” plays in the background of your browser.

    1. Johnny said on October 15, 2020 at 10:44 am


  16. Greg said on October 15, 2020 at 8:45 am

    Vivaldi has its own built-in Ad-blockers. surely that will be affected

    1. ULBoom said on October 17, 2020 at 2:46 am

      Depends on how they’re implemented. All chromium based browsers have the unchangeable aspects of Chromium intact.

    2. ShintoPlasm said on October 15, 2020 at 9:12 am

      It won’t be. None of the built-in adblockers (Vivaldi, Brave, Opera) are technically extensions, and are not affected by v3.

      1. Anonymous said on October 16, 2020 at 2:13 pm

        Extensions or not, i think it uses the same API, so it will be affected.

      2. Mike W. said on October 17, 2020 at 4:58 am


        The Vivaldi & Brave development teams have gone on record that v3 will not impact their built-in content blocking features. This only impacts extensions not baked into the browser. Vivaldi devs came out when they launched their content blocker and said outright that they had no plans to do so until v3 started becoming a reality and they wanted something they controlled so users would not be impacted as severely if this leads to the death of uBlock Origin or the AdGuard browser extension.

  17. eye of the tiger said on October 15, 2020 at 8:38 am

    == BleedingTooth: critical kernel Bluetooth vulnerability

    BlueZ Advisory: Severity rating, HIGH – All Linux kernel versions before 5.9 that support BlueZ

    The latest security information on Intel® products.

    BlueZ Advisory
    Intel ID: INTEL-SA-00435
    Advisory Category: Software
    Impact of vulnerability: Escalation of Privilege, Information Disclosure
    Severity rating: HIGH
    Original release: 10/13/2020
    Last revised: 10/13/2020
    Show more Show less View all


    Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure. BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities.

    Vulnerability Details:

    CVEID: CVE-2020-12351

    Description: Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

    CVSS Base Score: 8.3 High

    CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

    CVEID: CVE-2020-12352

    Description: Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

    CVSS Base Score: 5.3 Medium

    CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    CVEID: CVE-2020-24490

    Description: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access.

    CVSS Base Score: 5.3 Medium

    CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

    Affected Products:

    All Linux kernel versions before 5.9 that support BlueZ.


    Intel recommends updating the Linux kernel to version 5.9 or later.

    If a kernel upgrade is not possible, Intel recommends instead installing the following kernel fixes to address these issues:[email protected]/[email protected]/[email protected]/[email protected]/


    Intel would like to thank Andy Nguyen, security engineer from Google for reporting these issues.

    Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
    Revision History
    Revision Date Description
    1.0 10/13/2020 Initial Release


    1. ShintoPlasm said on October 15, 2020 at 10:37 am

      Why is this relevant?

      1. Peterc said on October 15, 2020 at 9:56 pm

        @ShintoPlasm: I’m not sure how it’s relevant, but I’m glad I saw it. (I don’t always get to my Linux newsfeed every day.) Hopefully, a fix will be backported to older but still widely used Linux kernels, if that’s possible. A lot of ordinary users might be inclined to update the kernel on their favorite “user-friendly” distro, but *not* so inclined to implement the various fixes — if indeed they ever learn of their existence.

  18. Iron Heart said on October 15, 2020 at 7:43 am

    > Is Manifest v3 still the end of content blockers?

    No, for Google can do nothing against native adblockers which are not extensions, like the ones in Bromite, Brave, Opera etc. Likewise, system-wide adblockers like AdGuard, and network-wide ones like Pi-Hole will continue to work. Only people who have no cluw about other options will be affected.

    > What is your take on the development?

    Not surprised that Microsoft follows suit, they also have an ad division and are not exactly known for their pro-user stance after all. They waste an opportunity to undermine Chrome‘s market leading position here. But hey, others will take care of it, and thus hopefully reduce the market share of the Google and Microsoft spyware browsers.

    1. John said on October 15, 2020 at 9:30 pm

      Long-term, the issue that might arise for native non-extension ad-blockers built into Chromium forks is that they could be using hooks in the code that will eventually cease to exist in the upstream version. Down the line, upstream could even re-code the browser in a way that is hostile to a fork being able to easily keep accepting updates from them and still adding in an ad-blocker, either on purpose or because they just don’t care what downstream people are doing and there is some feature or security measure that redoes portions of the upstream code with that side effect.

      So, while the built-in ad-blockers will likely survive the deprecation of Manifest v2 in it’s early stages, I would not count on them being able to do it forever, unless they have the resources and the desire to pour enough money into things to completely independently develop their browsers instead of the more typical method of incorporating updates from upstream on a continual basis and merging it with their fork-specific coding, features, and UIs.

      The built-in ad-blockers in the forks I’ve looked at closely have also been weaker than UBlock Origin and the like in certain ways. For example, Vivaldi lacks the “dropper” feature, making it impossible to get rid of stuff that doesn’t make the filter lists but negatively impacts someone’s personal user experience (They did recently add the ability to import filter lists from the web, though, which is a plus- but UBO has that, too).

      I don’t use a system-wide ad-blocker, but from the way I’ve seen them described, they’re mostly DNS blocking and so can’t always give you much glandular control or get rid of every ad the way even extensions without many options generally can. It also kind of strikes me as a whack-a-mole situation where Windows could eventually mark these as insecure applications and throw up warnings when one attempts to install or blocks them entirely if they wanted to. We see how little regard Microsoft has for Edge users’ desire to block ads through extensions. They’re deprecating the last API for Chromium extensions that block ads to the extent we’re used to before Google even deprecates it in Chrome!

      1. ULBoom said on October 17, 2020 at 2:39 am

        No, system wide blockers are not (at least good ones) DNS level filters similar to those often found in DNS resolvers. You can be as granular as you desire by adding user filters. There’s also element blocking where you can remove specific portions of pages. I set my home page to DDG and it’s completely blank except for the duck, search box, and light blue background, no text at all. I like the duck…

        I used Ad Guard browser extension for a few years, definitely slows browsing from time to time, then moved to their system level blocker which has little to no noticeable affect on browsing.

        Ad Guard, along with a multitude of other providers, offers a free DNS resolver with ad blocking. They clearly state it’s a heavy handed approach and recommend (well, yeah) their browser extensions or system level blockers for better control over what’s blocked.

    2. Iron Heart said on October 15, 2020 at 7:55 am


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.