Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Firefox 95 Rolls Out With New ‘RLBox’ Isolation Feature

Mozilla on Monday released Firefox 95 to the stable channel with a new isolation feature in tow, designed to keep untrusted code at bay and better protect users from web attacks that attempt to escape the sandbox.

Mozilla on Monday released Firefox 95 to the stable channel with a new isolation feature in tow, designed to keep untrusted code at bay and better protect users from web attacks that attempt to escape the sandbox.

Dubbed RLBox, the new sandboxing technology has been developed in collaboration with academics at the University of California San Diego and the University of Texas and is meant to complement existing protections by isolating subcomponents.

To keep users protected from web attacks, browsers run sites in sandboxed processes, but adversaries attempt to chain flaws to escape the sandbox and compromise the victim device.

With RLBox, third-party libraries prone to attacks are also isolated from the rest of the browser, in a fine-grained software sandbox. Thus, in addition to isolating websites in their own processes, the browser attempts to protect from potentially buggy subcomponents.

RLBox, which is a standalone project that relies on WebAssembly for isolating potentially problematic code, is now rolling out to all Firefox users with support for isolating the Graphite, Hunspell, Ogg, Expat and Woff2 modules.

Because the technology considers these untrusted code, it should keep users protected even from attacks targeting zero-day vulnerabilities in them.

“Accordingly, we’ve updated our bug bounty program to pay researchers for bypassing the sandbox even without a vulnerability in the isolated library,” Mozilla says.

In RLBox, code is compiled into WebAssembly and then compiled into native code, which makes WebAssembly an intermediate step into the build process, meaning that no .wasm files ship in Firefox.

The new feature prevents code from jumping to “unexpected parts of the rest of the program” and keeps it confined to a specified memory region.

“Together, these restrictions make it safe to share an address space (including the stack) between trusted and untrusted code, allowing us to run them in the same process largely as we were doing before,” Mozilla explains.

With this approach, the programmer is only required to sanitize values coming out of the sandbox, to make sure they are not maliciously crafted.

“RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream. As such, we intend to continue applying to more components going forward,” Mozilla says.

Related: Mozilla Rolling Out ‘Site Isolation’ With Release of Firefox 94

Related: Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API

Related: Firefox 93 Improves Protection Against Tracking, Insecure Downloads

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...