TL;DR: Windows Defender had a bug that made certain system calls expensive on CPU cycles when Defender's Real-time Protection feature is enabled. After discovery, Mozilla reported this issue to Microsoft. Microsoft is releasing a patch that should result in lower CPU usage when using Firefox on sites like YouTube (a ~75% CPU usage reduction was noted when browsing YouTube in Firefox with the fixed version of Defender).
It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
It's not just mozilla, been working defender issues for the last few years on thousands of windows vm's. Mostly due to the enabling the more intensive heuristic real time engine and they have different code bases depending on versions installed on different windows builds, and patching does seem to trigger it. For months we had issues where we couldnt log into some vm's due to high cpu for defender, and had to bounce the vm and apply a temp defender fix.
I think its a growing issue, as they mature/migrate their older code base, issues become less frequent.
I have malwarebytes premium and defender CPU usage is nearly 100% at times bringin Firefox to a halt. Chrome works fine..I've been blaming Firefox so far.
In my experience (as a former Firefox dev), antivirus / antimalware software are really poorly behaved. They tend to:
- require admin rights (which means that if they have vulnerabilities, it can take control of the entire machine, even if Firefox itself is sanboxed);
- monkey-patch the Firefox executable in memory, which works (when it does) as long as the version of the software tracks closely the version of Firefox, which may or may not be the case;
- ... and also decreases the memory-safety of Firefox, which makes it easier to pwn;
- ... and also makes the crash reports unreliable;
- install encryption certificates that are actually less trustworthy than Mozilla's, hence decreasing the security of https;
- block Firefox and add-on security updates, also decreasing security;
- install privileged add-ons, many of which are easy to exploit from any webpage;
- ...
Part of the work on Crash Scene Investigations was attempting to determine whether the crash was in Firefox or in code or in some bogus foreign code. Depressingly often, it was the latter.
In your case, it's entirely possible that malwarebytes was simply untested on Firefox.
> - monkey-patch the Firefox executable in memory, which works (when it does) as long as the version of the software tracks closely the version of Firefox, which may or may not be the case;
This one was a frustratingly common cause of crashes when I worked in gamedev. So many crashes would end up being some overlay or antivirus monkeying about with memory.
> Part of the work on Crash Scene Investigations was attempting to determine whether the crash was in Firefox or in code or in some bogus foreign code. Depressingly often, it was the latter.
A shockingly large number of crashes and performance issues in PC gaming are related to poorly behaved overlay programs and overclocking tools like RivaTuner, Overwolf, and the Discord Overlay. I'd well believe your points.
Yes, in general on Windows processes with higher privilege levels can get access to read/write another processes memory, or even inject code into them. And even Admin-level processes can still be broken into by something running as a service with even more elevated privileges like NT AUTHORITY\SYSTEM.
This has long been a leaky part of Windows security. If your malware can get its code running inside a highly privileged service or process, it can do more or less whatever it wants to the rest of the system. But even when not used for nefarious purposes, it is still an extremely dangerous capability in that it can be very easy to create problems .
By default, any application's memory can be read and written to by other processes running as the same user, as far as I know. The way to deal with this is to set process security descriptors, but admin can still bypass this. There are protected processes, and protected processes light, but those are not used by most software (mainly anti-malware afaik.)
Although that was definitely the intent, I actually don't know about specific things that use it. I'd love to hear what actually uses it. (I don't think Widevine l3 does, for example.)
This is wrong, on Windows there are system calls to access memory of other process and on Linux you can do it using debugging. Also on Windows there is a tradition to inject libraries into other processes, create threads in processes etc.
On Linux, ptrace permissions can be restricted [0] and some distributions do this by default.
Whether this provides any meaningful security is questionable unless you pair it with filesystem isolation to prevent malicious programs from modifying config files / bashrc / etc. Meanwhile it does make legit uses of ptrace more annoying.
> - install encryption certificates that are actually less trustworthy than Mozilla's, hence decreasing the security of https;
Given that in many industries insurances and, in some cases like banking, the law requires companies to monitor HTTPS traffic of browsers for compliance, it might be better if browsers had a dedicated filter / monitor API.
Why would Microsoft need to put a NSA backdoor specifically into Defender when it could put it anywhere else into Windows with their monthly patch? It doesn't make sense to single out Defender.
The same is valid for Apple, Google, and every other US company.
Pretty sure Defender is one of the few anti malware/edr that doesn’t need to do this, because it’s so tied to the platform. 3rd party antimalware and EDR are much more likely to inject hooks and dlls into other processes
I am on Windows 10, Malwarebytes premium and using Firefox Nightly on Youtube right now and it is using miniscule CPU and has so for a long time. On a i7 4790k desktop machine.
Firefox itself is at 4-5% and the whole machine is at 14%
Though it's possible they use different code injection tricks to make blocking impossible. (You can't block Defender from listening to events for example)
I'm curious how much excess energy has been consumed, and won't be consumed any longer, as a result of this improvement - even just limited to reduced CPU usage on Windows machines using Firefox to watch Youtube.
I love thinking about the impacts of tiny improvements at scale like this, might do some napkin math on it later and see if I can come up with something in the right order of magnitude.
Running lights during daytime seems to reduce crashes by about 5-10%, and crashes consume a lot of energy. Depending on crash severity there's at a minimum the wasted time for all involved parties and frequently the necessity for repairs (including the production of replacement parts, paint etc), and at the high end the involvement of emergency personnel and their vehicles, hospital beds, doctors, the production of entire new cars as replacement for totaled ones, etc.
I'm not so sure that running lights isn't a net positive, especially with the introduction of LED lights.
Note that this issue is not exclusive to MS Defender, but likely all Windows AV products to varying degrees:
> > I would also like to add that this high CPU usage issue while using Firefox is not exclusive to Microsoft Defender. It's an issue for Norton's AV products also and should be the same for Symantec Endpoint products too.
> > So, you should also test them.
> It is true that we should analyze the situation with other AV vendors, however, given the numbers shared above, and given how relevant it is to keep track of memory protection changes in order to detect malicious behavior, it is very likely that the explanation for Windows Defender also applies (at least in part) to other AV vendors.
I've seen some really weird performance behavior from Defender and I just keep it disabled on my desktop device now. I'm not surprised to see it affecting Firefox like this. Defender's dropped all the way to the bottom of the list in effectiveness anyway, so I don't feel it's a big loss.
Because once a corporation grows larger than some singularity threshold, there seems to be a bug event horizon where all bug reports just disappear.
Send a bug report to a five-person software company, their lead dev contacts you the same day and has a patched version ready to go in a week. Send a bug report to Microsoft / Citrix / Apple / etc, and you'll never hear back.
My understanding is that until recently (January), V8 (inside Chrome & Edge) made a similar number of calls. The main use is making it so that JIT-generated code is not writable while it is executing. It's an important security measure. V8 switched to a more recent mechanism (memory protection keys) that have been gradually getting support from the various OSes. But IIUC, they switched off the mprotect/VirtualProtect calls unconditionally, and added in the protection key stuff only where supported, which suggests that they left some configurations without any protection at all. SpiderMonkey (in Firefox) has not yet switched to the cheaper mechanism.
My comment was only intended to add missing information to the TLDR (since this fact is important in the linked thread) not to say that Firefox is at fault.
Now that you raised it however, even if the system call used to be fast, Firefox is making an extremely high number of calls to that sytem call, and there's always going to be some overhead to that. There are almost certainly ways that Firefox could reduce the number of calls it needs to make.
As the article mentions, Firefox is not currently implementing the Picture-in-Picture Web API that you linked to. Firefox's implementation is a browser feature only, and not exposed to the web at large.
Disclosure: I work for Mozilla on Firefox. I can say, without hesitation, that we definitely give a damn about protecting the user and protecting the health of the web.
Do more to show it then. Firefox has consistently been clamping down on user freedom and aping Chrome as closely as possible, instead of actually focusing on doing the right thing. Google is not the health of the web. Helping Google is contributing to the largest walled-garden that exists.
> Firefox has consistently been clamping down on user freedom
Can you give an example? While I personally don't agree with everything Mozilla has done in the last couple of years (like the native pocket integration for example) I do not agree with that statement.
That's a recent part of it. Pocket integration, removal of about:config entries, moving to WebExtensions so that the user has less control over their browser both in terms of appearance and function, changing the appearance in a way the user has little way of altering to a more functional display, now removing Bookmark Descriptions, using random non-user-audited data transmitted from random Firefox installs to determine the focus and goals of the browser, etc.
The issue claimed by the parent is not just restricting user freedom, but not doing the right thing. Your points:
Pocket integration: not the right thing, at least not the way they rolled it out in Germany, but not a restriction on user freedom.
Removal of about:config entries: This changes in response to changes to the engine, and restrictions can make sense if they avoid mainstream users from being confused about their setup so they find it difficult to find help. The developers edition usually has a bit more flexibility here, for advanced users.
Move to WebExtensions: This massively increases evolvability of Firefox, which I expect will result in better security, better performance, and less interference between extensions.
Changing appearance: I guess things like this are a side-effect of moving to WebExtensions. Maybe they will be supported again as the API evolves.
Mozilla says[1] about the Developer Edition that it "replaces the old Aurora channel" (so it's like a rolling-release alpha version) and has "tools that aren't yet ready for production". I don't think advanced users should be expected to run an alpha-quality, experimental, non-production version as their day-to-day browser just to get their configurability back.
Setting the defaults to values that don't confuse mainstream users is fine. Removing the corresponding settings from the settings dialog or other easily-accessible UI ... maybe. But removing them even from "about:config"? That used to be the place explicitly for advanced settings for advanced users, settings that were too scary for the UI. These settings need to be somewhere. (What if mainstream users discover the Developer Edition? Mozilla will have to make a Secret Developer Edition to make sure only the real advanced users can find it!)
Also, where in that Bugzilla thread are bookmark descriptions mentioned as being an attack vector? I can't find anything about it.
> Also, where in that Bugzilla thread are bookmark descriptions mentioned as being an attack vector? I can't find anything about it.
I was wondering the same thing. The only relevant item I could find is in bug 1402890 [0] linked in the very last comment. It says:
> Websites dictating what goes in a user's bookmark without any way to change that would be a terrible idea. Doubly so if it's secretly stored without even being viewable.
To me that seems like a valid privacy concern, but it should be solvable without discarding the entire feature. The "it's too hard to maintain this, let's just drop it, some volunteer will implement this again if it's needed (yeah, it won't integrate with our own UI like the current solution does, so what)" mindset in both those bugs just reeks of CADT [1].
The removal of the description field in the bookmarks in the most recent version would be another example of how little they care about us users sometimes.
I read the issue where it was discussed and a few suggestions to handle it in a way that didn't break bookmarks for people who used the description feature were pretty much ignored by the developers. The only reason I could infer from the detractors is that it was inconvenient to implement. As a long time supporter of Firefox the way they disregard us users shown in that thread altered my opinion of Mozilla significantly.
> Helping Google is contributing to the largest walled-garden that exists.
They can't outright come out and take an adversarial position against google -- they rely on them for hundreds of millions of dollars. Mozilla would not exist if Google did not pay them to be their default search. Donations account for 5% of their revenue, maybe.
I disagree. Cutting away from, and taking an adversarial stance toward, Google is probably the only thing that would keep Firefox relevant in the future. If Mozilla Corp didn't exist as-is, I believe that Firefox, SeaMonkey, Thunderbird, and other related programs would honestly be stronger and have more market share among users who are not the lowest common denominator, because they would be supported by a strong community making democratic decisions, not clamped down by whatever choices some marketing suit makes about a "brand" which is now almost meaningless.
Pale Moon is proof enough of that - the platform is viable, and people care about it. If Firefox were to discard the wrongheaded choices, I'm pretty sure sure that the PM community would fold back in. Rather than saying, "oh maybe there's a reason Mozilla Corp's not using the money for real advertising", users would still be going out like we did in the early '00s and building word-of-mouth to support a product worth supporting.
Corporations do not exist to "play nice". They exist to overtake, consume, and ultimately to destroy. Google has almost fully overtaken the Web for corp backers. Mozilla needs to develop the guts to take it back for the users.
I am sorry but this is HN idealism in full display yet again. People here time and time again vastly overestimate how little of a shit people give about their browser history, or that some company is showing them ads based on their profile, or that Google is building a walled garden (The richest company in the world is a massive walled garden). especially if you give them alternative: paying for things. The only thing keeping Firefox afloat is Google money. That's the only way they can continue to do anything. If Google stopped paying Firefox, they would cease to function. On the flipside, if Firefox took Google money for just one more year, that would equal 50 times the amount of yearly donations they receive.
"Pale Moon? What???" -- 99% of the world. It has 0.06% marketshare.
If you have a way for Firefox to make money without corporate support I am all ears, but fundamental idealism isn't going to solve anything for Firefox, it will just cause Mozilla to go extinct. I'd rather have them around than not.
because they would be supported by a strong community making democratic decisions
And close enough to zero top-tier developer hours as to make no odds, so the "democratic decisions" would make no actual difference to an app that would be suddenly dead in the water.
Yeah, I would love to see a fierce, wholly independent Mozilla both doing the technical ass-kicking it's been doing, and with a much freer hand in user advocacy. But if Mozilla's income were to be cut off, everyone would suffer: they would suddenly have zero momentum with which to continue either their technical excellence or their existing, worthwhile advocacy efforts.
I've never heard of Pale Moon until now, but if Google is so evil, and Mozilla is evil for using Google too, I can't help but notice Pale Moon still run Google Ads on their site. Just seems a bit hypocritical, especially with "We use responsible ad services to keep your visit to our websites a
safe and uninterrupted one." on there.
Not convinced, as following the links in GP leads to some sub par (as in the end user experience) home grown solutions.
Further, we are not exactly talking rocket surgery here, this is an extension anyone can install with a few clicks and as many can attest this is some serious bang for the buck all across the board (performance, privacy, security). Not to mention in the meantime they had the resources to auto install addons like Looking Glass
This title is inaccurate. Mozilla is _not_ hiring a developer to work on Thunderbird full-time. See below:
From the post:
"
The Thunderbird Project is hiring for a software engineer!
...
Please note that while the Thunderbird project is a group of individuals separate from the Mozilla Foundation that works to further the Thunderbird email client, the Mozilla Foundation is the Project’s fiscal home. The Thunderbird Council, separate from Mozilla, manages the Project and will direct the software engineer’s work."
No, the funds are Thunderbird's alone, originating from donations. Mozilla Foundation is just their fiscal home. Thunderbird Council went shopping for a new fiscal home for a while, even considering The Document Foundation, but decided to stay with MoFo: https://blog.mozilla.org/thunderbird/2017/05/thunderbirds-fu...
> Isn't it Upwork are hiring a programmer to work a contract for Thunderbird?
The Mozilla Foundation just forces Thunderbird to use Upwork as the channel to hire people. I think it's obvious that if Thunderbird Council was able to decide, they would never use Upwork.
Seriously, when we talk so much about the Web's portability, why is a major feature from a major website not even working on identically on the two biggest browsers? Since it's Facebook we can't accuse them of browser favouritism as they're browser neutral. I wonder what APIs are missing from Firefox that makes FB Live Video broken?
> Favoritism isn't the only reason for these things. What often happens is that the website devs all use one browser and nobody tests it.
That is exactly the point the GP post makes. These things are supposed to be standardized and the standards well described, so basic things should work everywhere without any testing. But somehow for web, it is acceptable and accepted as status quo, even after years and years of smashing our heads against the wall of nonstandard, browser-specific features.
Yeah. Well, it's not just "features", it's also stuff like minor differences that the spec allows for (the spec doesn't spec everything). For example, assuming the order of elements in the indexed getter of getComputedValues().
There are also cases like where Google's U2F library doesn't work with Firefox's U2F implementation because Firefox's window.u2f is immutable, as a newer (IIRC draft) spec dictates, whereas it isn't in Chrome, and the library does `var u2f=u2f||{}` which errors in Firefox.
Works in Nightly but the video quality is beyond garbage. 1080p webcam should not look like 320p. Chrome properly sees my camera resolution and uses it.
Ok now I have to do some embarrassing backtracking. In a clean profile I don't get the problem. Sorry for publicly whining about your product, which apparently works fine.
I'm not sure what I've done to make it not work here, but this profile dates from a long time ago so maybe it's just cruft or an extension behaving oddly. I'll switch to using a clean profile. Sorry again and thanks for your attention.
If you still have the profile where it doesn't work, and are willing to do some detective work to figure out what it is that doesn't make it work (e.g. extensions or prefs.js or something else), that would be awesome. You're hardly the only Firefox user with a somewhat old profile, and it's possible that there's something specific going wrong that we should be handling better on our end...
> This is because the Mozilla Foundation refused to accept the Tor Project's commits to enhance privacy in the browser.
Actually, I'm pretty sure this is untrue. I'm reasonably certain we're actively working with the Tor Browser developers to get their patches merged into core (but preffed off) so that they don't have to maintain a stack of patches on top of Firefox.
It seems like the HN submission form truncated the # from the end of the URL I linked to, which linked to the relevant comment. I'll try that here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c82
and
https://bugzilla.mozilla.org/show_bug.cgi?id=1441918#c91