Firefox 57 Brings Better Sandboxing on Linux

Status
Not open for further replies.

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
source (bleepingcomputer.com): Firefox 57 Brings Better Sandboxing on Linux

Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users.

The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files.

Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox — such as Flash, DRM, and other multimedia encoding plugins.

In 2016, Firefox received support for running in multiple processes. Mozilla engineers split the browser UI process from the web page rendering operations.

The latter received a sandbox, which Mozilla improved with every release. Because Windows and Linux are different operating systems and most of the Firefox userbase is on Windows, Mozilla focused on improving the Firefox sandbox for Windows first.

Sandbox feature updated to catch up with Firefox for Windows
In Firefox 57, the Firefox sandbox feature will receive improvements to put it on similar levels of protections as the Windows version.

"The content process - that is the one that renders the web pages from the internet and executes JavaScript - is now blocked from reading large parts of the filesystem, with some exceptions for libraries, configuration information, themes and fonts. Notably, it is no longer possible to read private information in the home directory or the Firefox user profile, even if Firefox were to be compromised," said Gian-Carlo Pascutto, one of the Mozilla engineers who worked on the feature.

Because Firefox is still intertwined with the GTK user interface, the Firefox web rendering process is still allowed to read from the filesystem in various situations.

"Rather than postpone the security improvements till this is reworked, we've elected to work around this by allowing a few very specific locations through," Pascutto said.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top