Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Firefox debuts improved process isolation to reduce browser attack surface

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

Process isolation

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

Win32k Lockdown

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

Gradual expansion

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 – 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

Advertisement. Scroll to continue reading.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

The Daily Swig has reached out to Mozilla and we will update when we hear back.

Source: https://portswigger.net/daily-swig/firefox-debuts-improved-process-isolation-to-reduce-browser-attack-surface

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Business News

FILE – A sign outside the National Security Administration campus in Fort Meade, Md., is seen June 6, 2013. The American public is broadly...

Cyber Security

Proposed legislation would require the Department of Homeland Security to “evaluate risks posed to national security and civilian privacy” by the online release of...

Business News

FILE – U.S. Surgeon General Dr. Vivek Murthy testifies before the Senate Finance Committee on Capitol Hill in Washington, on Feb. 8, 2022. The...

Business News

A traveler inserts her ID card while using the Transportation Security Administration’s new facial recognition technology at a Baltimore-Washington International Thurgood Marshall Airport security...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO