Securing Firefox: How to avoid hacker attacks on Mozilla's browser

Securing Firefox: How to avoid hacker attacks on Mozilla's browser

Summary: The following configuration changes, recommended by CERT/CC, can disable various features and set up Firefox to run in a secure state, limiting the damage from malware attacks.

SHARE:
23

How to run Mozilla's browser securelySecurity problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as a perfect alternative for Web surfers.

However, Firefox users should be aware that hackers can exploit software flaws and design features to launch drive-by attacks.

The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks.

Click here to see our extended gallery with tips/tricks to configure Firefox to run securely.

For more on browser security, see this CERT/CC document.

ALSO SEE:

* How to run Internet Explorer securely.

* How to run Apple Safari browser securely.

[UPDATE: July 10,2007 @ 9:25 AM] As a few readers have pointed out, these CERT/CC recommendations came from an older version of Firefox.  On newer versions, the display screens will vary  slightly but the advice/recommendations still apply.  I was aware of this and spoke to Will Dorman of CERT/CC before this posting.  He is updating the document to reflect the latest browser versions but, as noted before, these tips still apply, even on fully updated browsers.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Apparently it's by dropping the "H" from "HTTP"?

    At least that's how the link off the ZDNet news page is mis-written. ;)
    ejhonda
  • How to secure Firefox, IE and Safari to avoid hacker attacks...

    Download [url=http://www.opera.com]Opera 9.2[/url] and install it instead of [insert whatever offending browser here].
    Scrat
  • Perfect Alternative? Not on this planet (nt)

    .
    No_Ax_to_Grind
    • Only the gullible fell for the "It's more secure" line.

      The rest of us knew better.
      ye
      • Well...

        You're gullible, or happy with the history of IE or what?
        zkiwi
        • Yep

          Happy with IE - works fine looks good.

          We don't need another picture frame
          tonymcs@...
          • Hmmm....

            So, the history of IE is what you are happy with, or did you choose not to actually read the comment?
            zkiwi
        • Never had a problem with IE.

          Thanks for asking.
          ye
          • Same here

            Never had a problem with security on IE but then I patched regularly too same as I do with FireFox.

            I started using FireFox because it was better than IE 6. Now I find IE 7 and FireFox to be the same but I like FireFox better mostly because I've used it longer I think.
            voska
      • Gullible or just understand English?

        Most people know that better and perfect do not mean the same thing. Something apparently lost on certain apologists for certain operating systems.
        frgough
        • Yes, gullible. OSS browsers were sold to the gullible as...

          ...more secure. No where did I say they were sold as perfect. That's your strawman.

          As for being an apologist well:

          ye@:~$ uname -a
          Linux 2.6.16.29.xs3.1.0.289.2650 #2 SMP Wed Dec 6 13:26:08 UTC 2006 i686 GNU/Linux
          ye@:~$ date
          Tue Jul 10 14:06:42 UTC 2007

          Your zero for two.
          ye
  • This chart looks out of date, what about NoScript?

    - Several areas look different, so i wonder how up-to-date this set of advice images is?

    - No mention is made of NoScript (http://noscript.net), which is a very helpful add-on for Firefox. It monitors to block cross-site scripting, and in fact will allow scripting (javascript, java, pdf, flash etc.) at all only on sites you approve, by adding them to a whitelist.

    With this plugin in mind, the advice images look a little blunt-edged. Do you agree?

    Kind regards,
    narr vi
    Narr vi
    • Version?

      What was the version of FF when those pictures were taken? I agree, they look different.
      jhhicks@...
      • Found the same thing (NT)

        .
        voska
  • Alternatives

    Windows Folks who may be wondering if there are any 'alternatives' to the suggestions made by CERT.

    At absolutely no cost other than the time you've invest, you can install a [url=http://www.vmware.com/vmtn/appliances/directory/browserapp.htmlVMware Browser Appliance[/url]

    Linux Users (who aren't running SELinux) can also avail themselves to installing [url=http://www.novell.com/linux/security/apparmor/overview.html]AppArmor[/url] (free and open sourced by Novell) which puts a sandbox around any application, e.g., your browser session.

    Thanks Ryan for your very important advisory.
    D T Schmitz
  • Alternatives, Take 2

    Windows Folks who may be wondering if there are any 'alternatives' to the suggestions made by CERT.

    At absolutely no cost other than the time you've invest, you can install a [url=http://www.vmware.com/vmtn/appliances/directory/browserapp.html]VMware Browser Appliance[/url]

    Linux Users (who aren't running SELinux) can also avail themselves to installing [url=http://www.novell.com/linux/security/apparmor/overview.html]AppArmor[/url] (free and open sourced by Novell) which puts a sandbox around any application, e.g., your browser session.

    Thanks Ryan for your very important advisory.
    D T Schmitz
  • Did anyone read the reccomendations?

    If anyone actually followed the reccomendations, I think they would be able to visit a grand total of 2 or 3 websites in the whole world. Otherwise every other site they visited wouldnt work in the browser using those settings. What an absolute laugh! While the browsing might be "secure" those types of websites dont exist anymore in today's world. They should browse the web a bit more...

    That being said, I dont have those options set on Firefox and my browsing experience has been 100% secure ever since I started using it. No exploits of any kind have gotten thru the browser on my end yet.
    kokuryu
  • Too Funny

    Did you all not read the article or look at the screenshots? This is from an ancient version of Firefox...like a year old or so! Too funny.
    ccrashh2@...
  • CERT/CC

    Apparantly, the screenshots and discussions in this so-called "security" recommendation are from an article written/published in Jan 2006! That's right. Not 2007...2006! Given the quick update and patch process of Mozilla, this is so old as to be irrelevant. Man, Narine is supposed to be some guru, and the editors of ZDNet more on the ball than this. This is really poor "journalism".
    ccrashh2@...
    • CERT/CC

      Thanks much for the note. Yes, I was aware of this and spoke to Will Dorman of CERT/CC before posting this. Although the screens were taken from an older Firefox version, the advice/recommendations still apply, even on newer browsers.

      _r
      Ryan Naraine