Mozilla is introducing a new security feature it claims will make Firefox the most secure browser available to consumers. Dubbed RLBox and available through today's Firefox 95 update, it’s a new sandboxing tool the company developed in collaboration with the University of California San Diego and the University of Texas.
All modern browsers use sandboxing to protect users against malicious code. The problem is that many of the most advanced exploits chain together two vulnerabilities to bypass those protections. With RLBox, Firefox will compile a process into WebAssembly and then convert it into native code. According to Mozilla, this approach presents two significant advantages. It prevents code from jumping between different parts of a program and limits access to specific areas of your system’s memory.
With today’s release, Mozilla will use RLBox to isolate five components of Firefox, including the browser’s Graphite font rendering engine and Ogg multimedia module. If the system works as expected, the company says “even a zero-day vulnerability in any of [the five components] should pose no threat to Firefox.”
Mozilla is quick to note it won’t be able to use RLBox to protect every component of Firefox. For instance, it’s not suitable for modules that depend on sharing memory with the rest of the program to function. However, the company is hopeful that other developers will use the technology to make their software safer. In the meantime, RLBox is now rolling out to all desktop and mobile versions of Firefox.