In version 95, which has just been released, the Firefox developers focused on the security of the web browser in particular. The new version closes a total of 13 security vulnerabilities, some of which are classified as “high”. It also supplements a new sandbox called “RLBox”, the protective function of which should go well beyond the possibilities of classic sandbox technology for process isolation. The developers have also secured version 91.4.0 with long-term support, Firefox ESR.
The developers are particularly proud of the sandbox technology known as RLBox, which has now been integrated and activated in browsers on all platforms. It is the result of a collaboration with researchers from the University of California San Diego and the University of Texas.
The classic browser sandbox isolates individual websites or functions from one another as processes. The programmers cite audio and video codecs as an example, which run in isolation in Firefox in separate processes. However, this has several disadvantages. The code has to be decoupled and run asynchronously, which takes time and can slow down. In addition, the memory requirement increases. The developers do not believe that the XML parser in this form can be sealed off from other parts of the program.
RLBox therefore uses a trick to first translate program code into the standard WebAssembly. WebAssembly provides some security functions intrinsically, which are automatically incorporated (background for interested readers: WebAssembly – web applications in the fast lane,). Only then do you generate native code, explain the Firefox developers. This already takes place in the build process when compiling Firefox on the Mozilla servers. As a result, the binary code generated in this way cannot jump to unexpected places in the program and cannot access memory areas outside certain limits.
This change makes it possible to run trusted (own) and untrustworthy (third-party) code in the same memory area and thus within a process. Major adjustments to the program code are not necessary. Programmers would have to check return values that come from the sandbox for plausibility, since they could have been put together with malicious intentions. A task that the RLBox simplifies with a “tainting layer” is explained by the Firefox developer in a blog post.
With this finely granulated RLBox sandbox, the web browser first isolates five third-party modules: Graphite, Hunspell, Ogg, Expat and Woff2. More modules are to be added piece by piece.
Numerous security holes filled
With the 95 release, the Mozilla developers were able to close 6 gaps with a “high” risk, 5 gaps classified as moderate and 2 gaps with a low security risk. The Bugzilla entries are still locked. However, because of the vulnerabilities, attackers would have been loud Description of the Firefox security message smuggle in malicious code, disclose sensitive information or carry out spoofing attacks.
The ESR version 91.4.0 only seals security holes. Of these, 5 have the risk classification “high”, 3 “medium” and 2 represent only a minor threat. Here too, the delivers Firefox developers security message so far only abbreviated information.
In the Release-Notes zu Firefox 95 the programmers list further improvements. For example, there is the availability of the browser in the Microsoft Store of Windows 10 and 11 – this allows the browser to be used in Windows S mode, in which only applications from the store are allowed to be started. In order to better protect users from side-channel attacks such as Specter, the developers have activated site isolation for all users. The list also includes other minor changes that optimize and accelerate the behavior of the browser.
The new versions are available on the Firefox project download page ready. Users can find out whether the automatic update has already brought the local installation to a safe state by clicking on the “Hamburger” menu at the top right and selecting “Help” – “About Firefox”. If necessary, this triggers the update process and also restarts the browser at the push of a button.