Mozilla has released Firefox 95, featuring a new version of its security sandboxing subsystem called RLBox, and additional performance and efficiency improvements for the macOS version of the web browser.
According to the release notes, RLBox is a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries.
The sandbox subsystem works by compiling a process in WebAssembly before re-converting it into native code, which restricts its access to system memory and stops it from jumping to unexpected parts of the program, thus limiting its potential for exploiting vulnerabilities.
As Mozilla’s Bobby Holley explains:
This technique, which uses WebAssembly to isolate potentially-buggy code, builds on the prototype we shipped last year to Mac and Linux users. Now, we’re bringing that technology to all supported Firefox platforms (desktop and mobile), and isolating five different modules: Graphite, Hunspell, Ogg, Expat and Woff2.
Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox. Accordingly, we’ve updated our bug bounty program to pay researchers for bypassing the sandbox even without a vulnerability in the isolated library.
In other improvements, Firefox 95 reduces CPU usage on macOS during event processing, and reduces the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
Meanwhile, it’s now possible to move the Picture-in-Picture toggle button to the opposite side of the video. Users can find the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
Lastly, Mozilla says that Site Isolation is now enabled for all Firefox 95 users to better protect them against side-channel attacks such as Spectre.
Firefox 95 for macOS is available now from the Mozilla website.