

This isn’t a new security feature – it arrived in Windows 8 – but it’s not a mitigation that you can trivially apply to visual, interactive, graphics-rendering products such as browsers. The Improved Process Isolation report describes a long-running series of changes in Firefox that aim to take advantage of a Windows security setting known long-windedly as PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY. (We’ll explain below how this security sandbox code came to be called Win32k Lockdown.) What’s new in the sandbox? The blog article, entitled Improved Process Isolation in Firefox 100, actually came out the day before the 100.0.1 release was uploaded to the FTP server, as though the changes were already accomplished in the 100.0 release.Īs far as we can tell, however, this long-in-gestation security code was ultimately not enabled (or at least wasn’t fully enabled) in 100.0, because the Mozilla change logs include a fix for Bug 1767999, dated shortly after the 100.0 release came out, entitled Re-enable Win32k Lockdown by Default. Īccording to, the most significant change in 100.0.1 is that the point release “improves Firefox’s security sandbox on Windows devices.”Ī look at Mozilla’s change log and a recent Mozilla Hacks blog post suggests that has indeed identified the big deal in this released-but-not-yet-released release.

Nevertheless, 100.0.1 is available officially from Mozilla’s FTP archive server (though you don’t access it via FTP any more, of course). Visiting directly didn’t help either, with the 100.0 version shown there as the latest-and-greatest download, too. Similarly, checking for updates via the About dialog in a Firefox version that we had installed directly from informed us that we were currently up-to-date at version 100.0. …but when we clicked on What’s new two days later, to see what was new, we were still being told to “check back later”:

The new version is 100.0.1, and we’re running it happily… Late last week, our Slackware Linux distro announced an update to follow the scheduled-and-expected Firefox 100 release, which came out at the start of the month. His hack used up about 7 seconds of his 30 minute slot, and was successful. Manfred Paul attempted a full sandbox escape. Only one Pwn2Own entrant targeted Firefox.
