Firefox's latest security feature is designed to protect against buggy code
Firefox's latest security feature is designed to protect against buggy code
Firefox 95, the latest version of Mozilla's browser, introduces a new security feature designed to limit the damage that bugs and security vulnerabilities can cause to its code. Mozilla announced today. The feature, called RLBox, was developed with help from researchers at the University of California San Diego and the University of Texas, and was originally released as a prototype last year. It is coming to both desktop and mobile versions of Firefox.
At its core, RLBox is a sandboxing technology, which means that it is able to effectively isolate code so that any security vulnerabilities involved do not harm the overall system. Sandboxing is a widely used security method throughout the industry, and browsers already run web content in sandboxed processes to prevent malicious or small sites from compromising the overall browser.
However, RLBox differs from this traditional approach, and does not have the same cost for performance and memory usage. This makes it possible to sandbox critical browser sub-components such as their spell checker, effectively allowing them to be treated as untrusted code while still running in the same process. It limits how the code can run or what memory it can access.
As of today's release, Firefox is stripping out five modules: its Graphite font rendering engine, the Hunspel spell checker, the Ogg multimedia container format, the Expat XML parser, and the Woff2 web font compression format. Mozilla says this means that if bugs or vulnerabilities are discovered in one of these sub-components, the Firefox team won't have to scramble to stop them from compromising the entire browser. "Even a zero-day vulnerability in none of them should pose a threat to Firefox," Mozilla says.
Mozilla acknowledges that this is not a catch-all solution and that this approach will not work everywhere, especially in performance-sensitive browser components. But the developer says it expects other browsers and software projects to implement the technology and intends to use it with more components of Firefox in the future. Mozilla has also updated its bug bounty program and will now pay researchers if they are able to bypass the new sandbox.
No comments