The goal was Win32k Lockdown – a serious step up in Windows security

Firefox debuts improved process isolation to reduce browser attack surface

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

Process isolation

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

YOU MIGHT ALSO LIKE ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

Win32k Lockdown

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threads, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

Win32k Lockdown currently only applies to Windows 10 Fall Creators’ Update and later.

Gradual expansion

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Read more of the latest browser security news

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

“Firefox 100 has generally exceeded our expectations,” Mike Conca, senior manager at the Firefox web platform product team, told The Daily Swig.

“We have not seen any major web compatibility issues with the three-digit version number, and the milestone release gave us an opportunity to thank our users via special onboarding screens. Overall, the response has been terrific.”

This article has been updated to include additional comment from Mozilla.

RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim