Firefox Security Newsletter/FSN-2022-Q2
Hello fellow Mozillians,
Security and Privacy build cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from April, May, June 2022, grouped into the following categories:
- Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
- Core Security, outlining Security and Hardening efforts within the Firefox Platform.
- Cryptography, showcasing improvements to connection security.
- Web Security, allowing websites to better protect themselves against online threats.
- Fuzzing, providing updates for automated security testing and analysis.
Contents
Preface
Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.
Firefox Product Security & Privacy
Bug Bounty Hall of Fame Updates: Our Bug Bounty Hall of Fame for Web and Client bugs are updated quarterly – we would like to draw attention to the hall of fame and thank all Bug Bounty participants – publishing allows us to ensure that participating Bug Bounty Hunters get the credit they deserve for helping to advance our mission.
Total Cookie Protection: Since Firefox 103, released in June, all Firefox users benefit from the strongest privacy protections in Firefox to date. Total Cookie Protection confines cookies to the context in which they were created, thus preventing tracking companies from abusing cookies to track users across the web. The technical mechanisms powering these new privacy protections, originally pioneered in Tor Browser, are known as dynamic state partitioning. That partitioning mechanism keys third-party cookies and storage by the top-level site, (the domain displayed in the address bar) and thus prevents cross-site leakage of information.
Disallow Relaxing Referrer-Policy: Beginning with Firefox 100, Firefox ignores less restricted referrer policies, including unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin, for cross-site subresource/iframe requests to prevent privacy leaks from the referrer.
Timely responses to severe security bugs: In May, we participated in the security contest pwn2own. Like every year, security researchers get to show their work and claim significant prizes. This year, Manfred Paul successfully targeted Firefox by chaining a child process compromise with a sandbox escape using two atypical bugs both relating to JavaScript prototypes (you can read more in part 1 of the writeup here). We appreciate Pwn2Own not only for the community and research aspect of the contest but also as an opportunity to improve and exercise our incident response capabilities. In this case we released Firefox 100.3 less than two days later.
Core Security
Win32k.sys Syscall Disable ("Win32k lockdown"): Our sandboxed content processes no longer have access to a significant portion of the Windows API surface, which makes sandbox escapes harder. This required a lot of architectural changes to reduce or mediate access to affected features through the privileged parent process and spanned through almost all functional teams. Win32k lockdown shipped to release in Firefox 100 after about 4 years of development and a lot of cross-team collaboration.
Disallowing DYLD_INSERT_LIBRARIES on macOS: Previously, we used the DYLD_INSERT_LIBRARIES environment variable to dynamically include additional runtime libraries in child processes. However, an attacker that is able to modify this environment variable could do the same. We removed that capability with Firefox 103 and changed our child process architecture accordingly.
Removal of the X connection on Linux: Building on some of the architectural changes required for as "Win32k lockdown" above, our content processes no longer have access to the X11 Window server on Unix-like operating systems. This closes some potential avenues for sandbox escapes and also helps Wayland installations that were using XWayland. We shipped the enhancement to release in Firefox 99.
Utility Process for Audio Decoding: Audio codecs (and other third-party software written in C) are a potential source of hard-to-resolve security issues. Therefore, we are now running our audio decoders in a separate process and with a stricter sandbox as of Firefox 102.
Windows AppLocker: We are now starting to sign our own DLLs to support those that want to require all executable code to be signed via AppLocker.
Updatebot: Keeping third-party dependencies up-to-date is especially challenging when version metadata is scarce or non-existent. However, having third-party software outdated will pose increasing security risks over time. Therefore, we have built our own infrastructure to track upstream repositories, patch mozilla-central, run the patch through our CI infrastructure, and channel the results back through a newly filed bug in Bugzilla. As of Q2, we have reached the milestone of monitoring more than 10 dependencies and the list is still growing.
Automatically initializing trivial stack variables: We are starting to roll out the new clang -ftrivial-auto-var-init flag. Although it imposes a small runtime overhead, the flag makes crashes more easily recognizable, helping us catch security and non-security bugs earlier and more frequently.
Harden Remote Settings against local attackers: While preventing local malware from affecting a Firefox installation is often a losing proposition, occasionally there are instances where the engineering effort is worth the increased complexity for malware authors. In two recent bugs, we hardened Remote Settings by changing certain configuration values to be hardcoded instead of preferences.
Privileged JavaScript code that wants to import additional modules via ChromeUtils.import has been restricted to the schemes resource:// and chrome://, so that privileged code is guaranteed to only include scripts that are part of the build. Recent rewrites of our JSMs into actual JavaScript modules have ported this functionality as well.
Cryptography
June 2022 Root Changes: The root certificates in NSS, the cryptography library that underpins TLS in Firefox, were adjusted in accordance with our CA Program. Bug 1764206 lists the added and removed certificates.
Web Security
Supporting ‘wasm-unsafe-eval’ in CSP: Since version 102, Firefox supports Content-Security-Policy (CSP) integration with WebAssembly. A document with a CSP that restricts scripts will no longer execute WebAssembly unless the policy uses 'unsafe-eval' or the new wasm-unsafe-eval keyword.
iframe sandbox flags: Websites with malicious iframes (typically ads) were becoming unwitting accomplices and triggering bugs in native software via custom protocols. We helped specify and implement the “allow-top-navigation-to-custom-protocols” flag, which is now a requirement to launch external software from sandboxed iframes. This shipped in Firefox 102.
Fuzzing
Integrating IPC Fuzzer in mozilla-central: The Inter-Process Communication (IPC) Layer within Firefox provides a cornerstone in Firefox’ multi-process Security Architecture. Thus, eliminating security vulnerabilities within the IPC Layer remains critical. The importance of fuzzing the IPC layer is explained in a previous blog post. In Firefox 102 we integrated top-level IPC fuzzing in mozilla-central.
Differential testing with Fuzzili for JS: In Q2 we started to take fuzzing for our JavaScript engine to the next level and started to deploy differential testing with Fuzzili that compares the execution output across different JIT optimization levels.
Going Forward
Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in the third quarter of the year 2022, please do not forget to add your items to the 2022 Q3 Security & Privacy Newsletter (Collection Document) so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,
Christoph, Freddy, Tom