Firefox for Mac and Linux to get a new security sandbox system

Discussion in 'other security issues & news' started by summerheat, Feb 25, 2020.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Firefox for Mac and Linux will get a new sandbox system on top of the existing sandboxing solutions. It's called RLBox and will be introduced in FF 74 for Linux and FF 75 for Mac.The Windows version will be supported a bit later.

    https://www.zdnet.com/article/firefox-for-mac-and-linux-to-get-a-new-security-sandbox-system

    More details can be found in this Mozilla blog post.

     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I wonder how this will affect compatibility with Sandboxie, but it does sound cool. But it will also be available on Windows, so the topic title is a bit weird. I almost didn't even click on it, since I hardly have any interest in macOS and Linux.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I've never used Sandboxie - but what RLBox does is described here:
    I don't see why this should interfere with Sandboxie.

    That's certainly a mistake ;) But seriously, when RLBox comes to Windows remains to be seen. So far the code seems to be tested only on Linux and Mac OS.

    In any case, this approach seems to have great potential to make Firefox more secure as noted in the Mozilla blog post:
     
  4. 142395

    142395 Guest

    I have to say it's interesting (well, BTW I tend to believe any security conscious Fx user have already disabled graphite). Will look it further.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    How can I check whether it is enabled? There is no mention of RLBox under Sandbox on about:support and I don't see a about:config preference either.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, confirmed. I guess since it sandboxes specific libraries within Firefox you cannot disable it - and that's probably why it isn't shown in about:*.
     
  7. 142395

    142395 Guest

    about:config is to toggle sth but RLBox is designed to be on-compile (in contrast to on-thy-fly sandbox) so there's no way for you to toggle or disable it.
    Sure it would be convenient if there's a way to easily confirm if it's enabled - I searched in lib folder for sth named "rlbox" but no result.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Ah thanks for the information, an easy way to confirm it would indeed be nice.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I guess it shouldn't be a big problem. And it sounds like it will make Firefox a lot more secure, so good idea. Too bad that I don't really like Firefox anymore, Vivaldi is a better solution for me at the moment. But I do hope that FF keeps being improved, because you never know.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, here is some more info about the attack on Firefox, were they managed to bypass the sandbox. Seems like it was related to some bug in IPC messaging. I assume Sandboxie would have still contained the malware because of the virtualization layer. The thing that caught my attention is that apparently the Firefox parent process is not running sandboxed, is this true?

    https://www.sentinelone.com/blog/how-two-firefox-zero-days-led-to-two-macos-backdoors/
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    First of all, this is old news (from 2019 and fixed in FF 67). And yes, only the renderer is sandboxed, not the broker process. This is also true for all Chromium-based browsers.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, it's already fixed, but it's not about that. I just found it a bit strange that the parent process of both Firefox and Google are apparently not running sandboxed. Then with what integrity level do they run? I ask this because I run all browsers protected by Sandboxie, so they all have the untrusted integrity level.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I'm guessing it is only possible for a application to sandbox a part of itself. It needs rights for doing that, which it doesn't have if it is completely sandboxed.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes good point. I have just checked it out with Vivaldi, it seems like it runs certain processes with medium, untrusted and low integrity rights. But with Sandboxie, they all run as untrusted. It's interesting from a technical point of view, because many believed that Sandboxie is not needed anymore, but I think this is incorrect.

    Because I doubt Sandboxie would be affected by this IPC bug in Firefox. After all, it's Sandboxie which is acting like the gatekeeper, and not Firefox itself. So in order to get malware running on the system, you would also need to bypass Sandboxie. Of course, we're now talking user-mode browser exploits, because when kernel exploits are involved, then it's a different ball game.
     
  15. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    FF 74/ Linux

    My about:config has this:

    Boolean
    Number
    String

    with Boolean ticked off.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Uh, in what case? Did you search for RLBox? Afaik that is just empty search results with an option to create a new entry.
     
  17. korben

    korben Registered Member

    Joined:
    Nov 5, 2009
    Posts:
    917
    That's what I did.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.