Late final week, our Slackware Linux distro introduced an replace to observe the scheduled-and-expected Firefox 100 launch, which got here out in the beginning of the month.
The brand new model is 100.0.1, and we’re working it fortunately…
…however after we clicked on What’s new two days later, to see what was new, we have been nonetheless being advised [2022-05-15T19:00Z] to “examine again later”:
Equally, checking for updates by way of the About dialog in a Firefox model that we had put in immediately from Firefox.com knowledgeable us that we have been at present up-to-date at model 100.0.
Visiting Firefox.com immediately didn’t assist both, with the 100.0 model proven there because the latest-and-greatest obtain, too.
However, 100.0.1 is accessible formally from Mozilla’s FTP archive server (although you don’t entry it by way of FTP any extra, after all) .
In response to Ghacks.com, probably the most vital change in 100.0.1 is that the purpose launch “improves Firefox’s safety sandbox on Home windows gadgets.”
A take a look at Mozilla’s change log and a current Mozilla Hacks weblog put up means that Ghacks.com has certainly recognized the massive deal on this released-but-not-yet-released launch.
The weblog article, entitled Improved Course of Isolation in Firefox 100, really got here out the day earlier than the 100.0.1 launch was uploaded to the FTP server, as if the modifications have been already achieved within the 100.0 launch.
So far as we will inform, nevertheless, this long-in-gestation safety code was in the end not enabled (or at the least wasn’t totally enabled) in 100.0, as a result of the Mozilla change logs embrace a repair for Bug 1767999, dated shortly after the 100.0 launch got here out, entitled Re-enable Win32k Lockdown by Default.
(We’ll clarify under how this safety sandbox code got here to be referred to as Win32k Lockdown.)
What’s new within the sandbox?
The Improved Course of Isolation report describes a long-running sequence of modifications in Firefox that intention to make the most of a Home windows safety setting recognized long-windedly as PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY.
This isn’t a brand new safety characteristic – it arrived in Home windows 8 – but it surely’s not a mitigation that you would be able to trivially apply to visible, interactive, graphics-rendering merchandise equivalent to browsers.
Tremendously simplified, the SYSTEM_CALL_DISABLE setting permits a course of to relinquish the suitable to make sure dangerous system calls, notably these Home windows API capabilities which might be carried out immediately within the kernel for efficiency causes.
Firefox already splits itself into many separate processes, in order that if the browser goes haywire in a single tab, the compromised code doesn’t instantly have entry to the identical reminiscence area as all the opposite tabs.
Early browsers typically ran as a single, monolithic course of that handled making community connections, managing downloads, rendering remotely-supplied content material, executing untrusted JavaScript code, and displaying as many home windows or tabs as you had open.
Typically talking, this boosted efficiency, as a result of shifting knowledge round inside one huge course of is far simpler and quicker (albeit extra error susceptible) that transmitting it between separate processes.
But it surely meant that exploit code triggered in a single browser tab could lead on on to attackers sniffing out passwords, cookies and different confidential content material from another browser tab or window open on the time.
Divide and conquer
Splitting up the browser into a number of co-operating however separate processes implies that every has its personal reminiscence space that the others can’t see.
Separate processes additionally enable totally different components of the browser to run with totally different entry rights, in accordance with the precept of least privilege (by no means give your self extra energy than you really want, if solely to guard you from your self).
You’d assume, subsequently, that implementing SYSTEM_CALL_DISABLE can be an apparent and simple change to make to a browser’s internet content material rendering processes, provided that their job is to decode, wrangle, course of and show content material based mostly on untrusted knowledge obtained from exterior.
That untrusted knowledge may embrace intentionally booby-trapped photos, cunningly crafted font recordsdata, malevolent and misbehaving JavaScript code and way more, so voluntarily stopping these processes from making dangerous in-kernel Home windows operate calls looks as if vital safety setting.
In spite of everything, a bug or a crash within the kernel is way more harmful than a crash in userland, provided that it’s the kernel itself that’s speculated to clamp down on misbehaviour in userland code.
In case you are on the lookout for a dramatic metaphor, you possibly can consider an exploit in userland as tampering with a witness in a court docket case, however you possibly can consider an exploit in kernel-land as bypassing the witnesses and subverting the decide and jury as a substitute.
Sadly, because the Mozilla coders have had a very long time to replicate, the Home windows API capabilities that Microsoft determined to shift from userland to kernel-land …
…have been these capabilities that affected real-time efficiency probably the most, and have been subsequently the obvious to (and probably the most complained-about by) customers, equivalent to writing to the display screen, displaying graphics, and even, as Mozilla found, deciding on the place so as to add line breaks into formatted textual content in languages with advanced text-formatting guidelines.
In different phrases, any browser rendering course of that wishes to wrap itself within the added security of SYSTEM_CALL_DISABLE wants to have the ability to name on one more special-purpose course of that’s itself allowed to name Home windows kernel-level API capabilities in a well-controlled method.
If the helper processes that act as “insulators” between the rendering processes and the kernel miss out any capabilities that the browser in the end depends upon (even when they’re solely wanted often, like these special-case line-break guidelines), then some web sites will merely cease working, or will work incorrectly.
O! What a tangled internet we weave, when first we practise to relinquish sure entry rights on goal, and to separate our advanced purposes into a lot of co-operating components such that every provides up as many dangerous privileges as it may possibly!
Why now?
Mozilla refers to its use of the SYSTEM_CALL_DISABLE choice as Win32k Lockdown, after the identify of the Home windows driver (win32k.sys) that implements the varied kernel-accelerated Home windows API calls.
Provided that the code was a very long time within the making, and apparently nearly-but-not fairly able to be turned on by default in Firefox 100…
…why rush to allow it in an out-and-band 100.0.1 replace as a substitute of merely ready for a future scheduled launch?
One guess is hinted at within the abstract of the newest Mozilla Channels Assembly, which says, “Reminder: pwn2own is subsequent week (Wed-Fri) and we count on to ship chemspills [Mozilla’s curious metaphor for security-driven rapid release updates] in response… We’ll know the precise schedule nearer to the beginning of the occasion.”
Pwn2Own, after all, is a well-known big-money hacking contest during which merchandise equivalent to browsers, teleconferencing apps and automotive software program (the place this 12 months’s greatest particular person prizes are on supply, topping out at $500,000 ) are intentionally attacked.
Rivals every get a 30-minute slot on a freshly-imaged pc with the newest working system and utility updates put in to reveal a working exploit reside in entrance of the judges.
Tons are drawn to find out the order during which the entrants compete, and the primary to “pwn” a product wins the prize.
This implies, after all, that solely the primary exploit that works correctly will get disclosed.
The opposite opponents don’t get the cash, however they do get to maintain their assaults beneath their hats, so nobody is aware of whether or not they discovered a distinct sort of exploit, or whether or not it might have labored in the event that they’d drawn an earlier hacking slot.
Was the urgency to get 100.0.1 out due to the proximity of Pwn2Own, within the hope that at the least among the exploits that opponents would possibly deliver alongside can be thwarted by the brand new Win32k Lockdown safety?
What to do?
You don’t have to do something, although we sympathise if you happen to have been confused by seeing reviews that Firefox 100.0.1 was formally obtainable, solely to search out that it gained’t present up as an official replace till Monday 2022-05-16 on the earliest.
If you wish to replace forward of the bulk, you possibly can obtain 100.0.1 from Mozilla’s FTP server and deploy it your self, as a substitute of ready till Firefox’s inside replace mechanism decides it’s time.
