The Future of Firefox Security

The year 2012 will likely be a milestone for Mozilla’s Firefox web browser, as the open source group aims to further accelerate web innovation. Among the ways that Mozilla plans on improving Firefox in 2012 is by way of a number of efforts that could make the browser more secure for a greater number of users.

Mozilla makes incremental security updates with each release — such as the recent Firefox 9 update, which patched several security vulnerabilities. The open source browser vendor also works on making the overall platform more secure, which will be the core focus in 2012.

“Longer term, a lot of the work that we do around core technologies factors in security primitives,” Johnathan Nightingale, Director of Firefox Engineering at Mozilla told (The term “security primitives” refers to the building blocks used to provide security services in the software application.)

As an example, Nightingale noted that Mozilla configured support for WebGL as a way to address security concerns with cross-domain texture loading. He explained that with WebGL the idea was to utilize a protocol-based solution that can shut down an entire class of vulnerabilities.

More recently, Mozilla has been working on JIT hardening to mitigate against JIT spraying attacks. The JIT (Just-In-Time) compiler in JavaScript is a common attack vector in modern browser attacks.

“The reality is that the way our JIT engine is built makes it somewhat resilient to JIT Spraying attacks,” Nightingale said. “But there is still work we can do on that class of vulnerability to just get it out of the realm of even the theoretical — and that work is ongoing.”

Another approach to browser security, which has already been adopted by Google Chrome, is known as “process sandboxing.” With process sandboxing, the idea is to isolate processes in order to reduce the potential risk and attack surface for a given browser process or operation.

“Sandboxing has some real benefits, but it’s not a silver bullet,” Nightingale said. “It is something that our platform team is looking at really closely.”

Nightingale added that Mozilla is trying to find a good way to deliver sandboxing discretely, without the need to re-architect large portion of the Firefox platform. He noted that sandboxing is a security tool that Mozilla definitely sees as being beneficial.

Painless updates equal better security

Another area that Mozilla is looking at for Firefox security is the updating mechanisms for the browser. Currently, Firefox users need to click through dialog boxes and interact with the browser in order to get the latest updates. A pair of efforts now underway will likely improve the process and enable more users to get updates easily with minimal interaction.

One of these efforts focused on making Firefox easier to update is called “hotfix addons.”

“What hotfix does is it gives us an extra tool to address issues we see in the field without having to push a brand new update,” Nightingale explained. “It lets us push out updates in a targeted way and it lets us deliver a fix to our users without introducing a lot of the current interruption that a full software update involves.”

The hotfix feature will give Mozilla a way to patch a vulnerability or fix an important issue without requiring a full build. In some cases, there won’t even be a need to restart the browser.

The second effort is the upcoming “silent update” process. Nightingale noted that since the Firefox 4 release in March of 2011, Mozilla has been releasing new browsers every six weeks. That rapid release cycle has involved a certain amount of interruption for users who have to take the time to install the updates. Nightingale stressed that finding a way to apply updates quickly and without interruption will be the single most effective method to keep users safe online.

“What we’re building now is a system that is really quite silent,” Nightingale said. “If you want to be notified, of course you’ll still have that option.”

In contrast to a hotfix update, the silent update is a way of eliminating the interruption of entirely replacing an existing version of Firefox with a new version of Firefox.

“Every time we push a full update, we’re saying ‘Here is a new Firefox executable and a new set of associated libraries that have gone through a lot of development’,” Nightingale said.

“In different problem situations we’ll use different approaches,” Nightingale said. “If we had to disable an SSL Certificate Authority for instance, we can do that as a hotfix — but if it was something that affects how our JavaScript compiler works, we’d likely rebuild that rather than trying to patch on top of it.”

While Mozilla is working on new ways to eliminate classes of vulnerabilities and updating the browser, Nightingale stressed that building a secure browser is an incremental and iterative process.

“At the end of the day there is a lot of hard work that goes into building a secure product release after release after release,” Nightingale said. “Sometimes that means fixing a lot of unglamorous bugs.”

Sean Michael Kerner is a senior editor at, the news service of the IT Business Edge Network.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles