Firefox 95 boosts protection against zero-day attacks
Mozilla's browser now takes a more granular approach to walling off code


Mozilla is shipping a security technology with Firefox 95 that it hopes will stop zero-day attacks targeting users of the browser.
Called RLBox, the new feature will take a more granular approach to sandboxing, a security approach that runs website code in its own walled-off section of memory to avoid malicious components affecting the rest of the system.
In a blog post announcing the feature, Mozilla distinguished engineer Bobby Holley highlighted a problem with existing browser sandboxing technology, which isolates web site processes in individual sandboxes, and is vulnerable to chained attacks.
Malware developers can compromise the process first, and then escape the sandbox, it warns. It also limits the extent to which code can be separated into different sandboxed processes because of the memory overhead involved.
Developed in conjunction with the University of California San Diego and the University of Texas, RLBox complements process-based isolation with a new approach. It compiles code as native code via WebAssembly, which is a portable compilation format.
This makes each separately compiled piece of native code safer, because it can't access memory outside of a specified region and can't make any unexpected jumps. The new approach makes it possible to run different pieces of trusted and untrusted code in the same process without them affecting each other.
RELATED RESOURCE
"RLBox is a big win for us on several fronts: it protects our users from accidental defects as well as supply-chain attacks, and it reduces the need for us to scramble when such issues are disclosed upstream," said Holley.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RLBox is a stand-alone project that Mozilla first trialed on macOS and Linux users last year. It is now deploying it across all Firefox platforms, including mobile systems.
Mozilla will begin with RLBox support for the Graphite font rendering system, the Hunspell spell checker, and the Ogg multimedia container format in Firefox 95. It will follow this up in Firefox 96 with support for the Expat XML parser and Woff2, the font compression technology used in the browser.
"Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox," Holley said. He also hoped that other browsers would adopt the open-source technology.
Mozilla has updated its bug bounty program to reward researchers for escaping the sandbox technology without exploiting vulnerabilities in an isolated component.
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Zero Trust myths: Fact or fiction?
Whitepaper What the myths get right and wrong about Zero Trust
By ITPro Published
-
ZTNA vs on-premises VPN
Whitepaper How ZTNA wins the network security game
By ITPro Published
-
A roadmap to Zero Trust with Cloudflare and CrowdStrike
Whitepaper Achieve end-to-end protection across endpoints, networks, and applications
By ITPro Published
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox
News Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
By Zach Marzouk Published
-
State-sponsored hackers delay new Microsoft Exchange Server by four years
News Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule
By Connor Jones Published
-
Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products grows
News Microsoft has published a support guide and temporary workarounds for IT admins to mitigate the threat
By Connor Jones Published
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
By Connor Jones Published
-
Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update
News Microsoft has kicked off 2022 with a score of security fixes for critical-rated vulnerabilities in some of the most widely used products used by businesses around the world
By Connor Jones Published