Closed Bug 1767999 Opened 3 years ago Closed 3 years ago

Re-enable Win32k Lockdown by Default

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
enhancement

Tracking

()

Status:
VERIFIED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 100+
firefox100 + verified
firefox101 + verified
firefox102 + verified

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(1 file)

Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
diannaS
: approval-mozilla-release+
Details | Review

This was set to early beta and earlier in bug 1766033 for a staged roll-out.
We now need to flip it back to be on by default.

Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/743e4a955fea Re-enable Win32k Lockdown by default. r=gcp

Comment on attachment 9275252 [details]
Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp!

Beta/Release Uplift Approval Request

  • User impact if declined: Win32k lockdown enablement will rely on Normandy roll out instead of just being enabled by default.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple pref flip.
  • String changes made/needed: None
  • Is Android affected?: No
Attachment #9275252 - Flags: approval-mozilla-release?
Attachment #9275252 - Flags: approval-mozilla-beta?

https://hg.mozilla.org/mozilla-central/rev/743e4a955fea

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Release Note Request (optional, but appreciated)
[Why is this notable]: Major improvement to sandbox strength
[Affects Firefox for Android]: No
[Suggested wording]: Firefox's security sandbox now blocks access to the Win32k APIs for Content Processes on Windows.
[Links (documentation, blog post, etc)]: To be announced on Hacks

relnote-firefox: --- → ?

Comment on attachment 9275252 [details]
Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp!

Approved for 100.0.1

Attachment #9275252 - Flags: approval-mozilla-release? → approval-mozilla-release+

Comment on attachment 9275252 [details]
Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp!

Approved for 101.0b7.

Attachment #9275252 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+

Verified as enabled on Fx 100.0.1 and Fx 100.0b7 Windows 10 and Windows 11.

Regressions: 1769811

Verified as enabled with Fx 102.0a1 Windows 11 and Windows 10 x64.

Status: RESOLVED → VERIFIED
status-firefox102: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: