Firefox’s latest security feature is designed to protect itself from buggy code

Firefox 95, the latest version of Mozilla’s browser that’s rolling out starting today, introduces a new security feature that’s designed to limit the damage that bugs and security vulnerabilities in its code can cause, Mozilla announced today. The feature, called RLBox, was developed with help from researchers at the University of California San Diego and the University of Texas, and it was originally released as a prototype last year. It’s coming to both the desktop and mobile versions of Firefox.

At its core, RLBox is a sandboxing technology, which means that it’s effectively able to isolate code so that any security vulnerabilities it might contain can’t harm the overall system. Sandboxing is a widely used security method across the industry, and browsers already run web content in sandboxed processes to try to stop malicious or buggy sites from compromising the overall browser.

RLBox differs from this traditional approach, however, and doesn’t have the same costs to performance and memory usage. This makes it possible to sandbox critical browser subcomponents like its spell checker, effectively allowing it to treat them as untrusted code while still running in the same process. This places limits on how code can run or which memory it can access.

As of today’s release, Firefox is isolating five modules: its Graphite font rendering engine, Hunspell spell checker, Ogg multimedia container format, Expat XML parser, and Woff2 web font compression format. Mozilla says this means if bugs or vulnerabilities are discovered in one of these subcomponents, the Firefox team won’t need to scramble to stop them from compromising the entire browser. “Even a zero-day vulnerability in any of them should pose no threat to Firefox,” Mozilla says.

Mozilla admits that it’s not a catch-all solution and that the approach won’t work everywhere, such as particularly performance-sensitive browser components. But the developer says it hopes to see other browsers and software projects implement the technology and that it intends to use it with more of Firefox’s components in the future. Mozilla has also…


VirusTotal Adds Collections Feature for Better Collaboration and Context

VirusTotal, a key repository of malware samples and suspicious files for security researchers and defenders, is introducing a new service that enables users to collaborate and share data and indicators of compromise in real time.

The Collections feature allows any user to create a new collection for a file or malware sample that includes a variety of different IOCs, such as file hashes, domains or URLs or other information. The collection can also include a description and VirusTotal will add other information to the collection, such as tags and metadata.

Researchers and security teams often use informal methods such as Twitter, Pastebin, or Dropbox for sharing IOCs, threat intelligence, hashes of malware samples, and lists of suspicious domains. There are also a number of private forums in which that information is shared, but those tend to be small and so data is not disseminated widely. Those methods work for specific use cases, but getting threat information out to the widest possible audience of defenders and researchers can make a significant difference in heading off attacks.

The VirusTotal Collections feature is designed to enable researchers and defenders to update their contributions as needed and allow others to consume them.

“Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like,” Juan Infantes of VirusTotal said in a post.

VirusTotal has been the default platform for checking potentially malicious files and URLs for many years, and has evolved into a resource for community sharing and discussion, as well.

“Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings,” Infantes said.


Google Pixel 6 leak teases Magic Eraser feature, plus five years of Android security updates

New leaks from a marketing site appear to confirm that the camera for the Pixel 6 will have a new Magic Eraser feature, and the devices will apparently get five years of Android security updates (h/t 9to5 Google)

According to reliable leaker Evan Blass, the Carphone Warehouse website was showing images of Google marketing materials for the Pixel 6 and Pixel 6 Pro (the images have since been taken down, but you can view the earlier versions of the Carphone Warehouse pages on the Wayback Machine here and here). Screenshots show the description for the previously leaked Magic Eraser, which will apparently be linked to Google Photos:

Magic Eraser makes distractions disappear with a few taps. Remove strangers and unwanted objects in Google Photos, so the people and places that you capture remain the true stars.

Much of what is in the latest photos has been leaked or confirmed already; the Pixel 6 camera will have a 50MP main sensor and a 12MP ultrawide lens, and the Pixel 6 Pro will have a 48MP telephoto lens.

And as Engadget noted, some of the copy on the leaked images (in the tiny, tiny fine print) references “Android security updates for at least five years from when the device first became available on the Google Store in the US.” That would mean Pixel 6 devices would have protection into 2026.

Google did get ahead of some of this year’s leaks with early announcements about the Pixel 6 and the Pixel 6 Pro, including hints about its Tensor processor. The company will hold its traditional autumn hardware event on October 19th, where it will “officially introduce” the Pixel 6 and Pixel 6 Pro.


AT&T is finally adding a security feature to cut down on port-out scams

It looks like AT&T already has a response to the FCC’s new proposals announced today, because they are adding a one-time passcode security feature to cut down on port-out scams.

A new AT&T support article we spotted today states that the carrier will soon require customers who want to port out their number to generate a one-time passcode before switching carriers. The feature is called a “Number Transfer PIN”, and Verizon has been using it since March of last year. It’s a secure one-time-use code that can only be generated by the customer.

Customers that want to port out must first either dial *PORT from their current line or generate a code with the myAT&T app/their online account. The code is then provided to the carrier they are porting to, along with other general account information. Importantly, AT&T employees cannot generate this code on a customer’s behalf. This eliminates an “inside job” type of situation, at least for port-out scams.

Number Transfer PINs replace the existing pre-configured PIN setup that AT&T (and T-Mobile) currently uses. The pre-configured PIN is established when the account is opened, and is used for both account access and to port out. The new PINs are randomized and only generated when needed, making them much more secure.

The change is currently set to take place on October 18th, according to the support article. T-Mobile will then be the only major carrier not using the Number Transfer PIN method.