Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.
On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.
Process isolation
When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.
The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.
The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.
The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.
Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.
Win32k Lockdown
Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.
Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, an app for disabling access to win32k.sys system calls.
However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.
Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.
In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.
Gradual expansion
While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.
A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 – 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.
“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.
“We’re pleased to have made it through and present you with the result in Firefox 100.”
Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.
Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.
Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.
The Daily Swig has reached out to Mozilla and we will update when we hear back.
Source: https://portswigger.net/daily-swig/firefox-debuts-improved-process-isolation-to-reduce-browser-attack-surface