Firefox’s latest security feature is designed to protect against buggy code
Firefox 95, the latest version of Mozilla’s browser that is deployed starting today, introduces a new security feature designed to limit the damage that bugs and security vulnerabilities in its code can cause, Mozilla announced today. The function, called RLBox, was developed with the help of researchers at the University of California at San Diego and the University of Texas, and was originally published as a prototype last year. It happens on both desktop and mobile versions of Firefox.
At its core, RLBox is a sandboxing technology, which means that it is effectively able to isolate code so that any security vulnerabilities it might contain cannot damage the entire system. Sandboxing is a widely used security method in industry, and browsers already run web content in sandboxed processes to try to prevent malicious or buggy sites from compromising the entire browser.
However, RLBox differs from this traditional approach and does not have the same costs in terms of performance and memory usage. This allows critical subcomponents of the browser to be sandboxed, like its spell checker, allowing it to treat them as unreliable code while running in the same process. This places limits on how code can execute or what memory it can access.
As of today’s release, Firefox isolates five add-ons: its Graphite font rendering engine, Hunspell spell checker, Ogg media container format, Expat XML parser, and Woff2 web font compression format. Mozilla says this means that if any bugs or vulnerabilities are discovered in any of these subcomponents, the Firefox team won’t need to scramble to prevent them from compromising the entire browser. “Even a zero-day vulnerability in one of them should pose no threat to Firefox,” Mozilla says.
Mozilla admits that this isn’t a catch-all solution, and the approach won’t work everywhere, like particularly performance-sensitive browser components. But the developer says he hopes to see other browsers and software projects implement the technology, and intends to use it with more Firefox components in the future. Mozilla has also updated its bug bounty program and will now pay researchers if they can bypass the new sandboxes.