Hello fellow Mozillians,
Security and Privacy build cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from January, February, March 2022, grouped into the following categories:
Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
Core Security, outlining Security and Hardening efforts within the Firefox Platform.
Cryptography, showcasing improvements to connection security.
Web Security, allowing websites to better protect themselves against online threats.
Fuzzing, providing updates for automated security testing and analysis.
Policy & Bug Bounty, providing updates on security policy development.
Immediate Response to exploits in the wild: On March 4th, we received an email from a group of security experts who have observed a previously unknown attack against Firefox (known as an “0day exploit”). The exploit made use of two separate vulnerabilities: The first vulnerability (CVE-2022-26485) exploited a use-after-free vulnerability in XSLT in our sandboxed content process. The second vulnerability exploited a use-after-free vulnerability and a logic bug in our GPU process (CVE-2022-26486). Due to our distributed teams and the rapid release process, we were able to build a robust patch and ship new releases of all affected products on the next day, Saturday March 5, 2022.
Preventing Navigational Tracking: In Firefox 96, which was released in January, we shipped a privacy enhancing technology called Query Parameter Stripping: This privacy enhancing feature protects users against so-called navigational tracking, which is a practice in which websites add specific URL parameters to outbound links. Query Parameter Stripping removes this cross-site information while still keeping the website's functionality intact.
Usability and Tracking Protection: Firefox 96 also shipped improved Service Worker isolation as part of our work towards Total Cookie Protection (formerly known as Dynamic First Party Isolation). This aligns the feature with other browsers and paves the way to enabling Total Cookie Protection in upcoming releases. Firefox 98 then improved the user and developer experience in Storage Access API, to ensure that users are protected from third-party tracking while also giving a clear way out in case of incompatibility issues.
Reducing Sandbox Escape Attack Surface: Over the past several months we have been making significant strides in various projects that reduce the Operating System attack surface for sandbox escapes: In Firefox 96 we severed the connection to the WindowServer on OSX.
Removing the TLS override UI from certificate error pages: TLS 1.0 and 1.1 have become low enough in usage that it allows us to slowly remove options for re-enabling them. Starting with Firefox 97, the TLS override UI has been removed from the certificate error page. While preferences are still available in the codebase, we will remove them soon.
Prioritizing the most secure HTTP Authentication response header: The purpose of the HTTP Authentication response header is for webservers to indicate that user authentication is required. Even though most web pages make use of different, cookie-based authentication this is still a fundamental web standard. Previously, Firefox used the first presented HTTP authentication method but now, as of Firefox 97, it properly prioritizes the most secure authentication header when presented with multiple authentication headers.
March 2021 Root Changes: The root certificates in NSS, the cryptography library that underpins TLS in Firefox were adjusted in accordance with our CA Program. Bug 1751297 lists the added and removed certificates.
Trying to default all cookies to SameSite=Lax Cookies: Since Firefox 60, released in 2018, Firefox has supported the SameSite attribute, which allows websites to label cookies so that they will only be used within that website. This has a huge benefit in helping prevent Cross-Site Request Forgery (CSRF) attacks. For Firefox 96, we started setting the SameSite=Lax attribute to cookies by default. Unfortunately this caused breakage for our users due to significant implementation mismatches in websites and other browsers when following redirects. In the meantime we are working on cross-vendor outreach in the IETF and are hoping that we can add the SameSite=Lax attribute to cookies by default without giving up on the CSRF prevention.
We've made significant improvements to DOM Fuzzing with Domino and the Domino Web Tests that have enabled us to identify cases where the fuzzer generates semantically incorrect values. When applied to our WebGL fuzzing efforts, we've managed to reduce the number of incorrect values by 80%. Furthermore, we have added macOS support to our fuzzing efforts and are fuzzing more Web APIs (like WebGPU).
Unified Client and Web Bug Bounty Hall of Fame Updates: Our Client and Web Halls of Fame are updated quarterly – we would like to draw attention to the hall of fame and thank all Bug Bounty participants – publishing allows us to ensure that participating Bug Bounty Hunters get the credit they deserve for helping to advance our mission. In the quarter we improved the process by which we generate Hall of Fame updates, allowing us to do them more easily and more timely.
Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in the second quarter of the year 2022, please do not forget to add your items to the 2022 Q2 Security & Privacy Newsletter (Collection Document) so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,
Christoph, Freddy, Tom
P.S.: All editions of the newsletters can be found in the archive https://wiki.mozilla.org/Firefox_Security_Newsletter.