The latest version of Firefox is now available and includes an important step forward for web browser security.
From TechRepublic: This time around, the developers have released Firefox 95, which includes a new subsystem, called RLBox. RLBox is a new method of sandboxing, which makes it easy to efficiently isolate subcomponents and make Firefox more secure. RLBox uses WebAssembly to isolate possible buggy code.
How RLBox works is complicated, but it breaks down by first compiling a process into WebAssembly, and then the converted process is then re-converted into native code. What this does is prevent code from moving between different portions of a program and limits access to only specific areas of system memory.
As of Firefox 95, RLBox will isolate five components:
- The Graphite rendering engine
- Ogg media module
- Hunspell spellchecker
- Expat XML parser
- Woff2 font compression
Mozilla also made it clear that it won't be able to use RLBox to protect every component of the browser. For example, RLBox isn't suitable for any module that depends on shared memory to function.
Why is RLBox Important?
Screenshot above is taken from The Hacker News. Credit to the author
All web browsers run content within their own sandbox processes. This is done to prevent code from exploiting vulnerabilities. The problem is that bad actors attack by chaining together vulnerabilities, one used to compromise a sandboxed process and another to escape the sandbox. In order to defend against this type of common attack, browsers must then require multiple layers of protection.
To do this, Firefox uses RLBox to place two key restrictions on target code:
- It isn't allowed to jump to unexpected parts of the program.
- It can't access memory outside of a specific region.
These two restrictions make it safe for Firefox to share an address space between trusted and untrusted code so they can run in the same process.
RLBox is a big step forward for Firefox security because it protects users from accidental defects and supply-chain attacks. As an added benefit, RLBox reduces the need for the developers to scramble and fix something when an issue is disclosed upstream.
As far as end-users, there's nothing to configure, enable or install. RLBox is ready to go with Firefox 95. So, if you're serious about web browser security, make sure to upgrade to the latest version of the open-source web browser immediately.