[ad_1]
Late final week, our Slackware Linux distro introduced an replace to observe the scheduled-and-expected Firefox 100 launch, which got here out at the beginning of the month.
The brand new model is 100.0.1, and we’re working it fortunately…
…however once we clicked on What’s new two days later, to see what was new, we had been nonetheless being instructed [2022-05-15T19:00Z] to “examine again later”:
Equally, checking for updates through the About dialog in a Firefox model that we had put in straight from Firefox.com knowledgeable us that we had been at the moment up-to-date at model 100.0.
Visiting Firefox.com straight didn’t assist both, with the 100.0 model proven there because the latest-and-greatest obtain, too.
Nonetheless, 100.0.1 is accessible formally from Mozilla’s FTP archive server (although you don’t entry it through FTP any extra, in fact) .
Based on Ghacks.com, probably the most important change in 100.0.1 is that the purpose launch “improves Firefox’s safety sandbox on Home windows units.”
A take a look at Mozilla’s change log and a current Mozilla Hacks weblog publish means that Ghacks.com has certainly recognized the large deal on this released-but-not-yet-released launch.
The weblog article, entitled Improved Course of Isolation in Firefox 100, really got here out the day earlier than the 100.0.1 launch was uploaded to the FTP server, as if the adjustments had been already completed within the 100.0 launch.
So far as we are able to inform, nonetheless, this long-in-gestation safety code was finally not enabled (or no less than wasn’t absolutely enabled) in 100.0, as a result of the Mozilla change logs embody a repair for Bug 1767999, dated shortly after the 100.0 launch got here out, entitled Re-enable Win32k Lockdown by Default.
(We’ll clarify under how this safety sandbox code got here to be known as Win32k Lockdown.)
What’s new within the sandbox?
The Improved Course of Isolation report describes a long-running collection of adjustments in Firefox that goal to benefit from a Home windows safety setting recognized long-windedly as PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY.
This isn’t a brand new safety function – it arrived in Home windows 8 – but it surely’s not a mitigation that you may trivially apply to visible, interactive, graphics-rendering merchandise resembling browsers.
Vastly simplified, the SYSTEM_CALL_DISABLE setting permits a course of to relinquish the suitable to make sure dangerous system calls, notably these Home windows API features which might be carried out straight within the kernel for efficiency causes.
Firefox already splits itself into many separate processes, in order that if the browser goes haywire in a single tab, the compromised code doesn’t instantly have entry to the identical reminiscence area as all the opposite tabs.
Early browsers typically ran as a single, monolithic course of that handled making community connections, managing downloads, rendering remotely-supplied content material, executing untrusted JavaScript code, and displaying as many home windows or tabs as you had open.
Typically talking, this boosted efficiency, as a result of transferring knowledge round inside one huge course of is far simpler and quicker (albeit extra error susceptible) that transmitting it between separate processes.
Nevertheless it meant that exploit code triggered in a single browser tab may lead on to attackers sniffing out passwords, cookies and different confidential content material from every other browser tab or window open on the time.
Divide and conquer
Splitting up the browser into a number of co-operating however separate processes signifies that every has its personal reminiscence space that the others can’t see.
Separate processes additionally enable totally different elements of the browser to run with totally different entry rights, in accordance with the precept of least privilege (by no means give your self extra energy than you actually need, if solely to guard you from your self).
You’d suppose, due to this fact, that implementing SYSTEM_CALL_DISABLE can be an apparent and straightforward change to make to a browser’s net content material rendering processes, on condition that their job is to decode, wrangle, course of and show content material primarily based on untrusted knowledge obtained from outdoors.
That untrusted knowledge might embody intentionally booby-trapped photographs, cunningly crafted font information, malevolent and misbehaving JavaScript code and far more, so voluntarily stopping these processes from making dangerous in-kernel Home windows operate calls looks as if a must have safety setting.
In any case, a bug or a crash within the kernel is far more harmful than a crash in userland, on condition that it’s the kernel itself that’s purported to clamp down on misbehaviour in userland code.
If you’re on the lookout for a dramatic metaphor, you’ll be able to consider an exploit in userland as tampering with a witness in a court docket case, however you’ll be able to consider an exploit in kernel-land as bypassing the witnesses and subverting the decide and jury as a substitute.
Sadly, because the Mozilla coders have had a very long time to mirror, the Home windows API features that Microsoft determined to shift from userland to kernel-land …
…had been these features that affected real-time efficiency probably the most, and had been due to this fact the obvious to (and probably the most complained-about by) customers, resembling writing to the display screen, displaying graphics, and even, as Mozilla found, deciding on the place so as to add line breaks into formatted textual content in languages with advanced text-formatting guidelines.
In different phrases, any browser rendering course of that wishes to wrap itself within the added security of SYSTEM_CALL_DISABLE wants to have the ability to name on one more special-purpose course of that’s itself allowed to name Home windows kernel-level API features in a well-controlled means.
If the helper processes that act as “insulators” between the rendering processes and the kernel miss out any features that the browser finally depends upon (even when they’re solely wanted often, like these special-case line-break guidelines), then some web sites will merely cease working, or will work incorrectly.
O! What a tangled net we weave, when first we practise to relinquish sure entry rights on objective, and to separate our advanced functions into numerous co-operating elements such that every offers up as many dangerous privileges as it may well!
Why now?
Mozilla refers to its use of the SYSTEM_CALL_DISABLE possibility as Win32k Lockdown, after the title of the Home windows driver (win32k.sys) that implements the varied kernel-accelerated Home windows API calls.
Provided that the code was a very long time within the making, and apparently nearly-but-not fairly able to be turned on by default in Firefox 100…
…why rush to allow it in an out-and-band 100.0.1 replace as a substitute of merely ready for a future scheduled launch?
One guess is hinted at within the abstract of the newest Mozilla Channels Assembly, which says, “Reminder: pwn2own is subsequent week (Wed-Fri) and we count on to ship chemspills [Mozilla’s curious metaphor for security-driven rapid release updates] in response… We’ll know the precise schedule nearer to the beginning of the occasion.”
Pwn2Own, in fact, is a well-known big-money hacking contest during which merchandise resembling browsers, teleconferencing apps and automotive software program (the place this yr’s largest particular person prizes are on provide, topping out at $500,000 ) are intentionally attacked.
Rivals every get a 30-minute slot on a freshly-imaged laptop with the newest working system and software updates put in to exhibit a working exploit reside in entrance of the judges.
Heaps are drawn to find out the order during which the entrants compete, and the primary to “pwn” a product wins the prize.
This implies, in fact, that solely the primary exploit that works correctly will get disclosed.
The opposite opponents don’t get the cash, however they do get to maintain their assaults underneath their hats, so nobody is aware of whether or not they discovered a special sort of exploit, or whether or not it will have labored in the event that they’d drawn an earlier hacking slot.
Was the urgency to get 100.0.1 out due to the proximity of Pwn2Own, within the hope that no less than a number of the exploits that opponents would possibly convey alongside can be thwarted by the brand new Win32k Lockdown safety?
What to do?
You don’t have to do something, although we sympathise in case you had been confused by seeing experiences that Firefox 100.0.1 was formally accessible, solely to search out that it received’t present up as an official replace till Monday 2022-05-16 on the earliest.
If you wish to replace forward of the bulk, you’ll be able to obtain 100.0.1 from Mozilla’s FTP server and deploy it your self, as a substitute of ready till Firefox’s inner replace mechanism decides it’s time.
[ad_2]