Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature

Mozilla on Monday released Firefox 95 to the stable channel with a new isolation feature in tow, designed to keep untrusted code at bay and better protect users from web attacks that attempt to escape the sandbox.

Mozilla on Monday released Firefox 95 to the stable channel with a new isolation feature in tow, designed to keep untrusted code at bay and better protect users from web attacks that attempt to escape the sandbox.

Dubbed RLBox, the new sandboxing technology has been developed in collaboration with academics at the University of California San Diego and the University of Texas and is meant to complement existing protections by isolating subcomponents.

To keep users protected from web attacks, browsers run sites in sandboxed processes, but adversaries attempt to chain flaws to escape the sandbox and compromise the victim device.

With RLBox, third-party libraries prone to attacks are also isolated from the rest of the browser, in a fine-grained software sandbox. Thus, in addition to isolating websites in their own processes, the browser attempts to protect from potentially buggy subcomponents.

RLBox, which is a standalone project that relies on WebAssembly for isolating potentially problematic code, is now rolling out to all Firefox users with support for isolating the Graphite, Hunspell, Ogg, Expat and Woff2 modules.

Because the technology considers these untrusted code, it should keep users protected even from attacks targeting zero-day vulnerabilities in them.

“Accordingly, we’ve updated our bug bounty program to pay researchers for bypassing the sandbox even without a vulnerability in the isolated library,” Mozilla says.

In RLBox, code is compiled into WebAssembly and then compiled into native code, which makes WebAssembly an intermediate step into the build process, meaning that no .wasm files ship in Firefox.

Advertisement. Scroll to continue reading.

The new feature prevents code from jumping to “unexpected parts of the rest of the program” and keeps it confined to a specified memory region.

“Together, these restrictions make it safe to share an address space (including the stack) between trusted and untrusted code, allowing us to run them in the same process largely as we were doing before,” Mozilla explains.

With this approach, the programmer is only required to sanitize values coming out of the sandbox, to make sure they are not maliciously crafted.

“RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream. As such, we intend to continue applying to more components going forward,” Mozilla says.

Related: Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94

Related: Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

Related: Firefox 93 Improves Protection Against Tracking, Insecure Downloads

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.