uMatrix has an unfixed vulnerability: here is a workaround
Raymond Hill's uBlock Origin and uMatrix browser extensions are popular content blockers. While uBlock Origin is maintained actively by Hill, uMatrix development ended in 2020. A fork, nMatrix, designed for the Pale Moon browser, is still maintained.
The uMatrix browser extension is still in use. Google's Chrome Web Store, on which it is still listed, reveals that it has more than 100,000 users, a figure that can be higher as Google does not echo total number of users to the public. The Firefox extension, for which I wrote a guide in 2017, has more than 29,000 users at the time of writing.
A security researcher discovered a vulnerability in all three extensions. The vulnerability exploits code used by the extensions strict blocking feature. Strict blocking prevents all connections to resources that match the filter. Default installations of the extensions use filter lists that include strict blocking filters.
An attacker may exploit the vulnerability to get the extension to crash or cause memory exhaustion according to the researcher. When the extension crashes, users are left without protection until it is reloaded.
It requires that users become active, e.g. by clicking on a link.
The strict-blocking warning page is only displayed when direct navigations are blocked. This means that malicious hosts would need to induce users to trigger a navigation somehow, such as by clicking a link. iframes are classified as sub-documents and do not trigger the warning page, which should make it harder for malicious hosts to exploit this vulnerability in the background.
The researcher tested a proof of concept vulnerability against Chrome, Firefox and Pale Moon. Only the Chrome extension crashed during tests.
Raymond Hill was notified before the security issue was disclosed publicly, and a fix was created for uBlock Origin within one day and published the next. The maintainer of nMatrix published an update to the Pale Moon add-ons site that fixed the issue in the extension as well.
The uMatrix extension is not maintained anymore, which means that it is still vulnerable and will remain so.
How to mitigate the vulnerability
The researcher notes that users need to disable all filter lists on the "assets" tab of the uMatrix dashboard. Subscribing to malware or multi-purpose filter lists may reduce the impact the change has on the blocking of the extension.
To mitigate the vulnerability for now, users can disable uMatrix’s strict-blocking support by unselecting all of the filter lists on the "Assets" tab in the uMatrix dashboard. They can also enable all of the "Malware domains" and "Multipurpose" filter lists in uBlock Origin to help offset the lost filtering coverage.
With development having ended some time ago, it may be time to move to a different extension for content blocking, especially since it has an unpatched vulnerability now. While it seems unlikely that it is going to be exploited in large scale attacks, it is still something that users need to be aware of.
Now You: are you still using uMatrix? (thank you Marcus [via Email])
I appreciate this article, Martin. I’d previously disabled uMatrix in Firefox and Chrome precisely because development had ceased, but I’m sure a lot of other readers still use it. I do, however, use ?Matrix in Pale Moon, and I’m grateful to its forker/developer/maintainer, Alessio Vanni, for fixing the vulnerability.
Which reminds me: “I ? too much and now I’m-a too full.” (Sorry. I couldn’t resist. If I win the 5 points offered by Ghacks reader stu for guessing what keyboard he uses, in the recent article on new Windows keyboard shortcuts, I’m going to use them to buy indulgences for lame jokes.)
Oh, for crying out loud. The recent reduction in Unicode character support in Ghacks comments is getting *tedious*. A little while back, Ghacks reader owl, who is usually quite meticulous, posted a comment that came out almost *entirely* as substitute-character gibberish. Anyway, if you’re seeing question marks in my previous comment, like I am, well, they’re supposed to be Greek lowercase etas, as in “I eta too much.” Way to step on the joke, poor character support! ;-)
Of course I’m using it. So Noscript is a no-go these days, uMatrix’s days are counted.. what to protect us now?
Why is NoScript a no go? It is still maintained with the last update June 24th and works in all browsers now. Seems to me it would be better just because it is supported.
Although TorBrowser heavily relies on NoScript, it has a slightly (emphasis on “slightly”) shady past. If I remember correctly, it didn’t block something (was it certain ads?) fully on purpose or there were certain unwanted connections behind the scene. I clearly remember that there was a lengthy discussion/article somewhere (reddit?), but my “Google Fu” failed and I couldn’t re-discover the link.
Edit: I think I found the issue. See here: https://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
Can I ask, why do you think NoScript is a no-go ?
Oh man! I liked uMatrix asset page as it allowed to differentiate between blocked domains and unblocked domains, a feature not present in uBlock Origin(those who used hard mode in uBlock Origin know what I’m talking about).
Now an additional step is added – first to check whether domain is blocked by uBlock Origin’s static filtering, if not then proceed to filter page in uMatrix.
The current situation of uMatrix (uM) is really sad. In my opinion uM together with uBlock Origin (uBO) is a perfect match. It’s a pity that nobody trustworthy has offered to continue developing/maintaining uM, after gorhill has put the project on indefinite hold.
Good that Palemoon has an actively maintained fork, but I don’t want to switch to this browser for various reasons. There is a fork for Firefox called nuTensor at https://github.com/geekprojects/nuTensor, but this also does not really seem to be actively maintained.
To selectively allow a third party JS (for example from http://www.gstatic.com) on site A while have it forbidden on site B. In NoScript the JS from http://www.gstatic.com would be allowed to run on all sites and the same is true for uBO, am I right?
Besides, I find the matrix/scope interface style of uM very intuitive and easy to work with. Thus I use (the also great!) uBO only because of the filter lists and do all interactive blocking/allowing with uM in hardcore mode.
I’m still hoping that gorhill will change his mind and revive the development of uM in the future, but I must say that my expectation is low. :-(
“To selectively allow a third party JS (for example from http://www.gstatic.com) on site A while have it forbidden on site B. In NoScript the JS from http://www.gstatic.com would be allowed to run on all sites and the same is true for uBO, am I right?”
In uBO you can set site noop globally and/or on local level, same like uMatrix. But it doesn’t show number of blocked request, I hate that plus minus thing, and blocked domains by static filtering from third party domains.
Overall I’ve used hard mode in both uBO and uMatrix in different Firefox profiles and can safely say uMatrix is easier to use and is more user friendly if one is in dynamic filtering thing.
> In uBO you can set site noop globally and/or on local level, same like uMatrix.
Thanks for the clarification.
> But it doesn’t show number of blocked request, I hate that plus minus thing, and blocked domains by static filtering from third party domains.
Exactly my feeling!
> Overall I’ve used hard mode in both uBO and uMatrix in different Firefox profiles and can safely say uMatrix is easier to use and is more user friendly if one is in dynamic filtering thing.
Again I fully agree!
“uMatrix is much better than uBlock Origin because you have much more control and overview of your web traffic”
Go to the uBlock logger, filter the list by script or media, etc., click on an entry, then the create static filter tab to make a filter for it. Pretty much identical to uMatrix’s view except that it’s not laid out as a table.
uMatrix is much better than uBlock Origin because you have much more control and overview of your web traffic, and the uMatrix UI is much better.
You can see and block scripts, css, images, frames and xhr content per site with uMatrix.
I know of no other extension that does this.
It would have been better to stop port the UI and control features of uMatrix to uBlock Origin, and then stopped developing uMatrix.
Noscript does not have the same kind of control that uMatrix has.
It is such a shame and waste when the developement of good software stops and there is no good alternative.
I still hope a trusthworthy developer makes a fork of uMatrix and adds the good features of uBlock Origin to it.
I wish @gorhill could tell us why uMatrix was archived. I use uBlock Origin and it doesn’t provide the detailed ease of use of uMatrix.
Couldn’t uMatrix be set to basic maintenance only? Bug fixes, update links, etc?
That would be great!
OK, after reading a lot of information above my pay grade, the following web page
“As soon as I come back from vacation, I will release the necessary update. Fortunately, the problem itself does not look so critical to require immediate intervention.”
Summing up. There is no cause for alarm. uBlock may no longer be developed but it seems the last release it is being supported for vulnerabilities.
That back-from-vacation comment applies to the “uBlock Origin (Legacy)” extension, which is still maintained and is targeted at browsers like Pale Moon.
The add-on that is no longer maintained is uMatrix.
I’m using uBO and NoScript together, have been for years, and am happy with the combo. They’re the first 2 add-ons I install on any new machine (of mine… many non-geeks find NoScript too much to cope with).
I played with uMatrix for a while, but found NoScript easier to use, so I went back to it.
Running unmaintained security software is a bit counter-intuitive.
First, I want to thank vtriolet for finding the vulnerability & contacting Raymond Hill.
Second, thank you Raymond Hill for providing everyone with the BEST content blocker on the internet, for FREE, without any reward. uBlock Origin & uMatrix makes the internet a better place for everyone.
Third, thank you Mozilla for saving us from the evil Google Blink browser engine monopoly. BTW, Brave is STILL the Blink browser engine driven Chromium with a faux interface on top, so it SUCKS Ironshill.
Lastly, thank you @martin for posting this, I read it here first & I can’t find it anywhere else on the internet today (read it yesterday).
As much as I hate Softonic & the comment “moderating” (not posting people’s comments, & never moderating Ironshill), ghacks is still valuable for keeping up on important news.
I first started coming here to read about Presto Opera (not the garbage Blink Opera) news, & it’s still proven to be worth returning for breaking news.
BTW, @martin, tell Softonic the new website design still sucks, you literally can’t view all the archived Firefox articles, it links to “Firefox add-ons”, which is NOT Firefox articles, it’s only the Firefox add-on articles. If Softonic spend a fraction of the time fixing their website, instead of bias “moderating”, they wouldn’t be banned on Reddit.
Thanks. I already notified Softonic about the missing option to browse all articles of important categories such as Firefox or Chrome.
I read this site daily but I haven’t know this vulnerability until today. Today I installed uMatrix update. Then I searched this site: this news was published on July 15, 2021. It’s really hard to find anything because of confusing layout. What has happened?
Shortly: Very good news but hard to find.
I blocked privacy-center.org but ads are still allowed. This is the only site that I allow ads.
> Third, thank you Mozilla for saving us from the evil Google Blink browser engine monopoly.
Indoctrinated. Just accept that the product that was better at everything for years has rightfully won. Better security, better performance, better web compatibility, wider extension support, better enterprise tools, better web dev tools… better everything.
Your begging for market share is just pathetic.
> BTW, Brave is STILL the Blink browser engine driven Chromium with a faux interface on top, so it SUCKS Ironshill.
Dude, it’s not a “faux interface on top”, it is literally just the Chromium interface. The browser with the interface wrapper is called Vivaldi, you fool.
And that it is based on Chromium is great. Reasons? See above. Provably better at everything.
> As much as I hate Softonic & the comment “moderating” (not posting people’s comments, & never moderating Ironshill), ghacks is still valuable for keeping up on important news.
And with “moderated” you actually mean “censor opinions I don’t like”, am I right? That’s fairly pathetic in its own right. I also have to somewhat tolerate your dumb assertions about me (which got published), but I am not a dumb idiot calling for censorship just because you spew some BS. I have better things to do and am mentally strong enough to cope with it.
> Calling for Iron Heart to be censored.
> Using and promoting Deplatformingfox.
Is that just a coincidence, or…?
That sucks. Maybe we can bribe gorhill or someone equally talented to fix this?
Great add ons but I really don’t get how this issue is a thing. It’s showing up in quite a few places. Many extensions are done as a service to users and shouldn’t be relied on for security. The browser and AV are primary.
It’s fixed, Raymond and the nMatrix developer are class acts.
One can even use uMatrix in Kiwi browser on Android, Ice Raven can also have one installed. Useful if one wants to read websites only, easy to block everything except html. Very clean Web, one gets this way. Yoda speak, brrr
wait.. what’s wrong with noscript now?
The mitigation steps that I published initially were incomplete because they did not account for strict rules that users added themselves. I have emended my post and will try to keep it updated as I learn of any other omissions:
To be clear, is it safe to keep the ‘* * * block’ rule on the “My rules” tab?
I think that is a default rule that came with uMatrix, and was not manually added.
That rule is important for the block-by-default behavior that uMatrix provides, so I would keep it.
Unfortunately, I cannot say conclusively whether you will be safe from the vulnerability because I have found other cases where strict blocking is enabled, even when a host is not specified in the rule (e.g., * * image block).
At this point, I will likely withdraw my mitigation recommendations because it will be hard to provide general guidance that will protect all users, if it is indeed possible. (The only person who may know is gorhill.)
I understand. Thanks for the info.
Sadly it looks like the end of uMatrix.
I read few lines on Github link you mentioned and I find them puzzling – “These manually-added rules will appear on the “My rules” tab and will be of the form `* nytimes.com * block` or `nytimes.com nytimes.com * block` (the hostname must be repeated).”
I use uMatrix in hard mode means only 1st party scripts and frame are allowed, no css or image for 3rd party. So only rules manually added are always allow rules, never any blocked rules. How are those going to be affected? Mine guess is allow rules are fine and nothing to worry about but then I’m not a security expert.
I do not know the answer to that question, unfortunately.
I’ve realized that some rules that do not specify hosts will still trigger the strict-blocking warning page, which could leave you potentially vulnerable.
For example, the rule `* * image block` will cause the strict-blocking warning page to appear when you click on a link to an image.
Do you tend to encounter the warning page when you browse pages?
“Do you tend to encounter the warning page when you browse pages?”
Not through browsing pages, *only* and maybe once or twice in fortnight max when I click on some random link on a webpage and uMatrix says to not proceed. Same thing in uBO hard mode, I’ve always enabled all the filter list in uBO settings bar annoyances.
Warning pages were frequent when I started using uBO long time ago. I was a toddler and didn’t enable additional filter lists or using different modes. Since then filter lists also have come a long way and block some common trash outright.
Also I forgot to mention the blocked rules – there are just two blocked rules. First one is * * * block and second is * * frame block. Two default allow rules are 1st party allow and 1st party frame allow. After that only allow rules created are from domains/subdomains specific things aka images, scripts etc. possible only in uMatrix, not in uBO as whole domain/subdomain has to be nooped in uBO.
One thing is clear uMatrix is now unstable. Thanks @Vtriolet for finding this vulnerability and @MartinB for writing this article.
What I’m going to do now? I had multiple Firefox profiles and was using uBO hard mode in one and uMatrix hard mode in another before this, just in case as rules in uBO are different than uMatrix. Now I would continue using that setup and uMatrix to hopefully crash it on a site and encounter the vulnerability ;-)
If you’ve disabled all of the filter lists on the “Assets” tab in the uMatrix dashboard, then I cannot think of an easy way to trigger the strict-blocking warning page with your combination of rules. (Of course, I may be overlooking something.)
I’d be curious to hear about any cases where you do end up triggering uMatrix’s warning page because that would provide evidence that your set-up is vulnerable to the denial-of-service issue.
First thanks to @vtriolet for finding this vulnerability and interacting with regular casual users like me.
My normal setup for browsing is this – In desktop user.js file(Arkenfox) is applied in one profile which I use most. Very few extensions I use in this profile are – uBlock Origin, Clear URLs, Temporary Containers(once in maybe a year as FPI is already enabled) and uMatrix in hard mode. All the filter lists bar annoyances and languages are enabled in uBO which includes some already present in uMatrix, and no custom lists. In uMatrix three filter lists are enabled – Don Pollock, MVPS and Peter Lowe, others were disabled as they don’t get updated or maybe uMatrix is at fault.
In android the setup is mostly the same, as Mull browser is the primary one and no temporary containers as it doesn’t work in Android.
I would be honest I haven’t seen warning page in uMatrix *yet* in browsing, as all the time uBO shows its face in warning pages when clicking links in new tab as it has same lists enabled as those of uMatrix. The reason filter lists were enabled in uMatrix before was to distinguish between blacklisted domains and 3rd party domains easily.
When I said earlier I was a toddler, actually I never updated lists in the past and so warning pages were often in uBO, most of the time in popup form when scrolling webpages. Now with updated lists I only see warning pages when clicking links, which most of the time say page was blocked because of Peter Lowe or Don Pollock list.
Tell me if the following is right:
– If scripts are blocked for new or not-whitelisted sites, it cannot be exploited, unless you click a link to a url with thousand of parameters.
– If it is so, then, would be a solution to inject a userscript or extension that checks for that or directly truncates long urls for links? Option B would be to alternatively show a popup with a warning or highlight the culprit.
– I’m not sure about all of the ways a navigation can be triggered in that situation. Clicking a link is one obvious way, but there may be others that I am unaware of.
– I do not know enough about browser extensions to say. You would have to ensure that your extension or script intercepts the navigation before uMatrix at the very least, though.
Thanks. I’ve manually patched my copy of uMatrix for Chrome since I’m running the unpacked dev version.
I’m also using gorhill’s last dev version 1.4.1b6 of uMatrix on Firefox and Ungoogled Chromium. Does anybody know if the patch from nMatrix (the Palemoon fork) can be applied 1:1 in uMatrix? If so I would try to build my own local version with the patch.
When you say 1:1, do you mean programmatically?
The nMatrix codebase has had formatting changes, so applying a patch to uMatrix with a command like `git apply` may not work without manual intervention.
If I were applying a patch, I would apply the uBO one manually:
https://github.com/gorhill/uBlock/commit/365b20e8cc27cd776ef3868b02ea739ba387356d (the patch)
https://github.com/gorhill/uMatrix/blob/master/src/js/main-blocked.js (the code in uMatrix that needs to be patched)
> When you say 1:1, do you mean programmatically?
Yes, I wondered if I could use the nMatrix patch as well, because I noticed that its code looked a bit different than the uBO patch. Although I know how to apply patches and work with diffs etc., I’m not a programmer myself and don’t usually understand the language of a code. That’s why I asked before I want to apply the patch manually.
> If I were applying a patch, I would apply the uBO one manually
Okay, I’ll do it like this then.
Many thanks for your answers here in this article! Furthermore I would like to thank your responsible disclosure and detailed documentation, too! Also many thanks to Martin for picking up this uMatrix issue with an article here!
I have done so with the nuTensor fork of uMatrix and it appears to work well (export your uMatrix settings first and then disable it).
However, the resulting .xpi can only be installed in Firefox Nightly, Developer Edition or ESR with xpinstall.signatures.required set to false.
> However, the resulting .xpi can only be installed in Firefox Nightly, Developer Edition or ESR with xpinstall.signatures.required set to false.
Uff, that’s an important thing to consider. Does it mean that, if I follow the regular release cycle of Firefox (currently 90.0), I can’t install and run a locally patched uM (self-built) in this 90.0 version? If I don’t get it wrong (after reading https://wiki.mozilla.org/Add-ons/Extension_Signing), a manually patched, local version of uM can’t be used in any official release.
You can sign it yourself. :)
But for me that looks very complicated…
> You can sign it yourself. :) […] But for me that looks very complicated…
Indeed! Overcoming this obstacle does not seem worth to further investigate (for me). I think I’m going to risk running an “unsafe” uM rather than making my (unsigned) but patched addon be compatible with Firefox “release” browser. In the end what a mess and sad evolution of such a useful addon … :-(
Just when I finally managed to get it signed and installed, I saw that @gorhill released a new version of uMatrix!
“Raymond Hill was notified before the security issue was disclosed publicly, and a fix was created for uBlock Origin within one day and published the next. The maintainer of nMatrix published an update to the Pale Moon add-ons site that fixed the issue in the extension as well.”
A security update of the legacy version of uBlock Origin (for Pale Moon) is forthcoming:
(That version is still maintained, but updates are few and far between.)
The posts I’m bookmarking clutter around a cyber sec topic and this one ads another ice to the shivers. Thanks so much for publishing this article.
Whatever the vulnerability, you’re more vulnerable without uMatrix.
This looks like an almost non-existent risk to me.
“An attacker may exploit the vulnerability to get the extension to crash or cause memory exhaustion according to the researcher.”
So ? If the extension crashed, or you lacked memory, you’d notice it, wouldn’t you ?
Also, why would hackers try to make uMatrix crash, or exhaust your memory ? Hackers are not pranksters anymore, they are after money. Why would they bother ?
You question the motivations of criminals. The answer is they are criminals and think different to the rest of us. An experiment to learn the technique; thrill committing anti-social behavior; power; prove intelligence; “because I can”…?
I’m not really sure what does Assets filters/rules are actually doing but blocking sites, but to block permanently all 1st-party URL’s scripts I usually turn off all scripts for 1st-party by selecting, in the drop-down matrix menu, the * asterisk just to the right of the URL address seen in the upper left corner, thereafter select and set the “script” itself (the very first position in that column) to blocked (appears hereafter as solid red color) and then click the padlock to preserve the setting, now all URL’s load permanently with scripts blocked.
The article explained it, the uMatrix stops working allowing all scripts to run when it crashes, isn’t that the culprit?
gorhill updated umatrix to 1.4.2. I for one am thankful.
There is a God and its name is gorhill.
Few days ago I expressed my concerns here that gorhill doesn’t care anymore about us ordinary uM users. I’m so glad that he proved me wrong by fixing the issue and pushing and update to AMO.
Thank you so much, gorhill, for not leaving us out in the rain with an unfixed uM!
By the way, Chuck Norris is afraid of only one thing in the world: A web browser without uMatrix!
Not in the Chrome version.
I also noticed when checking updated extension in the browser, and there it was, what a nice surprise, thanks Gorhill! :)
Couldn’t believe it so had to also check out the Mozilla extension page, but there it is. :)
There are some reports about breakage after installing the latest update of uM, see here:
The solution is given in link 2 as well: Disable the dead filter lists in the “assets” tab, i.e. “hpHosts”, “Malware Domain” list and “Malware domains”.
I have not experienced this breakage in the new 1.4.2 and 1.4.3b0 because I already deactivated these dead lists in my setup months ago.
Apart from the three activated default lists “Dan Pollock”, “MVPS Hosts” and “Peter Lowe” I would like to share the additional (regularly updates) ones, which I use in uM:
(3) https://curben.gitlab.io/malware-filter/urlhaus-filter-hosts.txt (that’s the full version in contrast to the light one which is included in uBO.)
(6) Some lists from Steven Black: https://github.com/StevenBlack/hosts
I hope that this is helpful to anyone out there!
new version is out
for chrom and for firefox
1.4.4 last version
Fix exception thrown when a stock asset is removed
Remove obsolete assets
Thank you Mr Hill.
uMatrix is very powerful :)
1. I wish one could select and block specific scripts eg from the 10 on ghacks.net.
2. How can i see how uM works: intercepting before which other addons?
Are there sites to display installed addons as organigram?
3. My top rules for uM:
* * cookie block
* * frame block
* * script block
4. Someone knows a good testing site for (anti-)adblockers, trackers, targeting ?
This article is out of date and givens inaccurate information. Please update the article.
“uMatrix 1.4.2 has been released with a fix for the vulnerability”