Mozilla this week released Firefox 95 for Mac, which brings a new version of the browser’s security sandboxing subsystem called RLBox, along with additional performance and efficiency improvements.
RLBox is a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries.
The sandbox subsystem works by compiling a process in WebAssembly before re-converting it into native code. This process restricts its access to system memory and stops it from jumping to unexpected parts of the program, thus limiting its potential for exploiting vulnerabilities.
Mozilla’s Bobby Holley explains:
This technique, which uses WebAssembly to isolate potentially-buggy code, builds on the prototype we shipped last year to Mac and Linux users. Now, we’re bringing that technology to all supported Firefox platforms (desktop and mobile), and isolating five different modules: Graphite, Hunspell, Ogg, Expat and Woff2.
Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox. Accordingly, we’ve updated our bug bounty program to pay researchers for bypassing the sandbox even without a vulnerability in the isolated library.
Firefox 95 also reduces CPU usage on macOS during event processing and reduces the power usage of software decoded video on macOS, such as streaming sites like Netflix, especially in fullscreen.
This update also brings faster content process startup and improves page load performance by speculatively compiling JavaScript ahead of time.
It’s also now possible to move the Picture-in-Picture toggle button to the opposite side of the video. Users can find the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
Site Isolation is now enabled for all Firefox 95 users to better protect them against side-channel attacks such as Spectre.
Firefox 95 for macOS is a free download from the Mozilla website.