Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface in the 100th version released on May 3rd, 2022.
Isolation of System Process
When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system and managed by a single privileged parent process. The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.
The Mozilla team wanted to refine the model. It’s a challenging prospect since content processes need access to some operating system APIs to properly function.
Already Fission has been introduced, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator. Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox will significantly improve Firefox’s security.
This is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.
Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, an app for disabling access to win32k.sys system calls. This meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.
Mozilla Firefox undertook a serious redesign that includes a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.
In addition, Firefox has also rehashed line break functionality. The challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.
Though the primary focus is on Windows for other OS flavors, Mozilla has worked for enhancements. For Mac users In Firefox 95 blocked access to the Windows Server, improving process startup by between 30 – 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.
Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts, and CVE-2022-29911, an iframe sandbox bypass.
Both Chrome and Firefox have now reached triple-digits in-browser versions. This shows that security and other enhancements are needed of the hour. But it should not break the basic necessities.