A patch release of Firefox 101.0.1 is available, notable for the increased sandbox isolation on the Windows platform. The new version includes, by default, blocking access to the Win32k API (Win32 GUI components that run at the kernel level) from sandboxed content processes. The change was made ahead of the Pwn2Own 2022 competition, which will take place May 18-20. Pwn2Own participants will demonstrate working techniques for exploiting previously unknown vulnerabilities and, if successful, will receive impressive rewards. For example, the premium for bypassing sandbox isolation in Firefox on the Windows platform is $100.
Other changes include fixing an issue with subtitles showing in picture-in-picture mode when using Netflix, and fixing a bug with some commands being unavailable in the picture-in-picture window.
Additionally, it is reported about the addition of new requirements to the rules of the Mozilla root certificate store. The changes, which aim to address some of the long-seen TLS server certificate revocation issues, will go into effect on June 1st.
The first change concerns accounting for certificate revocation reason codes (RFC 5280), which certification authorities will now in some cases be required to indicate in the event of a certificate revocation. Previously, some certification authorities did not transfer such data or assigned it formally, which made it difficult to track the reasons for revoking server certificates. The correct completion of reason codes in certificate revocation lists (CRLs) will now become mandatory and will allow separating situations related to key compromise and violation of the rules for working with certificates from non-security cases, such as changing organization information, selling a domain, or early replacement of a certificate.
The second change obliges CAs to submit full CRL URLs to the Common CA Certificate Database (CCADB, Common CA Certificate Database). The change will make it possible to fully account for all revoked TLS certificates, as well as preload more complete data on revoked certificates in Firefox, which can be used for verification without sending a request to the CA servers during the TLS connection setup.
Source: opennet.ru