Headline
Firefox debuts improved process isolation to reduce browser attack surface
The goal was Win32k Lockdown – a serious step up in Windows security
The goal was Win32k Lockdown – a serious step up in Windows security
Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.
On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.
Process isolation
When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.
The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.
YOU MIGHT ALSO LIKE ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users
The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.
The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.
Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.
Win32k Lockdown
Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.
Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s , an app for disabling access to win32k.sys system calls.
However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.
Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.
In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.
Gradual expansion
While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.
A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.
“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.
“We’re pleased to have made it through and present you with the result in Firefox 100.”
Read more of the latest browser security news
Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.
Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.
Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.
The Daily Swig has reached out to Mozilla and we will update when we hear back.
RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim
Related news
Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-8 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0:esr are affected.
Red Hat Security Advisory 2022-4590-1 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-4589-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.
Ubuntu Security Notice 5435-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass permission prompts, obtain sensitive information, bypass security restrictions, cause user confusion, or execute arbitrary code. It was discovered that Thunderbird would show the wrong security status after viewing an attached message that is signed or encrypted. An attacker could potentially exploit this by tricking the user into trusting the authenticity of a message.
An update for thunderbird is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1520: Mozilla: Incorrect security status shown after viewing an attached email * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29913: Mozilla: Speech Synthesis feature not properly disabled ...
An update for firefox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29909: Mozilla: Bypassing permission prompt in nested browsing contexts * CVE-2022-29911: Mozilla: iframe Sandbox bypass * CVE-2022-29912: Mozilla: Reader mode bypassed SameSite cookies * CVE-2022-29914: Mozilla: Fullscreen notification bypass using popups * CVE-2022-29916: Mozilla: Leaking browser history with CSS variables * CVE-2022-29917: Mozilla: ...
Ubuntu Security Notice 5411-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, bypass permission prompts, obtain sensitive information, bypass security restrictions, or execute arbitrary code.
Ubuntu Security Notice 5411-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, bypass permission prompts, obtain sensitive information, bypass security restrictions, or execute arbitrary code.