Topic: Open Source

Securing Firefox: How to avoid hacker attacks on Mozilla's browser

Summary: Here are several configuration settings you can make to reduce the attack surface on Mozilla's open-source Firefox browser.

By Ryan Naraine | July 9, 2007 -- 14:15 GMT (07:15 PDT)

Follow @ryanaraine

Previous | Next Image 1 of 11

Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers.

However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.

The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks.

To get started, select Tools, then Options.

IMPORTANT NOTE: The images from these CERT/CC recommendations came from an older version of Firefox. On newer versions, the display screens will vary slightly but the advice/recommendations still apply.

Topics: Open Source, Browser, Hardware, Legal, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

93 comments

Log in or register to join the discussion

Internet Explorer and Specific JavaScript Features

Well, I guess Internet Explorer 7 doesn't have the ability to disable JavaScript features, like the resizing of windows, preventing context menu from opening (which I don't like it), disabling shortcut keys, etc.

It's not just a matter of switching to Firefox (which is not my preference) but I'm hoping Microsoft would implement the checkboxes to disable certain JavaScript features...

Grayson Peddie
9 July, 2007 13:00

Reply Vote
NoScript!

The most important security add-on to firefox if you want to lock down the browser is NoScript. Not only does it have built-in XSS protection, but it will also sanitize Flash, Java, /and/ Javascript on a per-domain basis. That's much more secure than trying to live without javascript on all sites (which will just drive you to enable it dozens of times a day to use sites that require it).

http://noscript.net/

jwiens
9 July, 2007 13:03

Reply Vote
- NoScript!
  
  I've my enterprise PCs secured, in part, with NoScript, as well as having trained my family and friends on using it.
  
  gmunk.internet@...
  9 July, 2007 18:31
  
  Reply Vote
- NoScript!
  
  If you install only one add-on it *HAS* to be NoScript!
  
  Magic, there's no other word for it.
  
  Jacdeb6009@...
  10 July, 2007 06:08
  
  Reply Vote
- Yes, NoScript is required equipment
  
  I consider NoSCript a REQUIREMENT, not an optional add on. Install it, learn it real quick, and use it. Do not just allow everything, be selective.
  
  JoesCat
  10 July, 2007 08:30
  
  Reply Vote
What version are these screen shots from?

They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?

ejhonda
9 July, 2007 13:05

Reply Vote
- Ha ha
 
 They must be so embarrassed
 
 PhilM
 10 July, 2007 05:43
 
 Reply Vote
- ???
 
 Read the blog, try to understand it, then post. It was prominent in the blog that the screen shots were from an EARLIER version.
 
 And so much for the "ha, ha". Only embarrassment is yours-they were plain enuff.
 
 DirtyDingus
 10 July, 2007 14:32
 
 Reply Vote
 - Read it - it's still puzzling
 
 Why would someone put up a how-to on an outdated version? I look forward to ZD's series on how to secure Windows 95.
 
 ejhonda
 3 January, 2008 08:52
 
 Reply Vote
- RE: What version are these screen shots from?
 
 "They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?" 
 
 The latest version I believe is 2.0.0.11 (its even mentioned in the article)
 
 devlin_X
 4 January, 2008 05:19
 
 Reply Vote
 - screen shots
 
 the screen shots do are not from 2,0,0,11 which I have
 
 clancymcq@...
 4 January, 2008 09:59
 
 Reply Vote
 - You read but didn't comprehend
 
 Again I repeat the quote with the key part highlighted: "They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?" I wasn't refering to the screen shots but what they said the latest version was. The poster said the latest version was 2.0.0.4 when the current one is 2.0.0.11... Though now I'd like to correct myself since after I posted I noticed the date the comment I was posting in response too was older than I realized and it's possible 2.0.0.4 could have been the current version at time of posting.
 
 devlin_X
 5 January, 2008 04:19
 
 Reply Vote
The option to

enable cookies for the original site only is unfortunately no longer available in the latest [b]FF[/b] 2.0.0.4 toolbar, which I run on both [b]Windows XP[/b] and [b]Ubuntu 7.04[/b] (I haven't checked [b]Gran Paradiso 3.0a6[/b], which I'm using in a [b]Vista[/b] partion). [b]NoScript[/b], which I run on all three partitions is a wonderful tool, which allows one to choose which sites are permitted to run script. The problem is that very few sites run a single script - when reading this particular article, for example, I am asked not only to determine whether I should allow script from [b]zdnet.com[/b] (which I of course do - surely those lovely people at [b]ZDNet[/b] would [u]never[/u] do anything to harm me !), but also to do the same thing for [b]i.com.com[/b] and [b]pointroll.com[/b], about which I know very little. Googling takes me to [b]pointroll.com[/b]'s website, which offers me ?rich media solutions?, but when I attempt to connect to [b]i.com.com[/b], I am informed that [b]Firefox[/b] is unable to find the server. Some sites, like those for major newspapers, will be coupled to upwards of ten of these subsidiary sites, most of which presumably count the number of visitors, and all of which clamor for attention in [b]NoScript[/b]. Under these circumstances, your average user is probably going to click to permit all of them simply to get rid of that annoying [b]NoScript[/b] yellow warning bar at the bottom of the active window, thus greatly reducing the tool's usefulness as a security device. Websites badly need cleaning up, so that users aren't confronted with a plethora of URLs, all requesting access to their computers....

Henri

mhenriday
9 July, 2007 13:48

Reply Vote
- Why not set NoScript to not warn you?
 
 NoScript marks any site that you don't allow as untrusted. I just allow the main ZDNet site. Who needs the other stuff, I'm reading the blogs, not the ad's or the counters or the flash or the Java. 
 I also use flash block and Adblock with good results.
 
 k12IT
 9 July, 2007 14:44
 
 Reply Vote
 - An interesting alternative,
 
 but imagine the situation from the point of view of the novice. Perhaps he or she wants to be able to make use of a link to view another article or see a screenshot slide-show, and doesn't know what to block and what not to block in [b]NoScript[/b]. To mind, the owner of the main site - in this case, [b]ZDNet[/b] - bears a certain responsibility to its readers to inform them which sites coupled to his/her/its own are essential for making use of links provided on the site and which are not, and to guarantee that the ones that are are not infected. (I understand perfectly well that in these situations, no guarantee can be 100 % - even the best of sites can become infected - but in the business world there exists a concept known as ?due diligence? which I find applicable here.) I think a discussion of the responsibility of website owners to readers in this regard is long overdue, and that [b]Ryan[/b]'s blog would be a not inappropriate venue for it. What does [b]Ryan[/b] himself have to say on this matter ?...
 
 Henri
 
 mhenriday
 10 July, 2007 08:23
 
 Reply Vote
 - I've run into that situation often, but...
 
 I somehow manage to get through it. Things like double-click and the like, I blacklist, and for the uncertain stuff that may or may not be blocking my viewing, I temporarily allow them one by one till the site works for me. If I don't trust that site, I just go away.
 
 Even then, NoScript is better than no NoScript.
 
 D. W. Bierbaum
 28 August, 2007 08:28
 
 Reply Vote
- i.com.com...
 
 I've got to wonder who bought that domain...? :p
 
 Grayson Peddie
 9 July, 2007 15:04
 
 Reply Vote
 - Whois Info for i.com.com
 
 Here is the domain and whois information for i.com.com
 --------
 
 [b]DNS Lookup For I.com.com[b/]
 
 ;; Answer received from 216.145.1.3 (82 bytes)
 ;;
 ;; HEADER SECTION
 ;; id = 10362
 ;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
 ;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
 ;; qdcount = 1 ancount = 0 nscount = 1 arcount = 0
 
 ;; QUESTION SECTION (1 record)
 ;; i.com.com. IN A
 
 ;; ANSWER SECTION (0 records)
 
 ;; AUTHORITY SECTION (1 record)
 com.com. 300 IN SOA ns.cnet.com. hostmaster.cnet.com. (
 2007070600 ; Serial
 600 ; Refresh
 300 ; Retry
 1209600 ; Expire
 300 ) ; Minimum TTL
 ;; ADDITIONAL SECTION (0 records)
 
 [b]IP Information for 216.145.1.3[b/]
 IP Location: United States United States Seattle Compass Communications Inc
 Revolve Host: 3.1.145.216.in-addr.arpa. 76400 IN PTR ns2.ccom.net.
 IP Address: 216.145.1.3 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
 Blacklist Status: Clear
 
 [b]Whois Record[/b]
 
 OrgName: Compass Communications, Inc.
 OrgID: CPCM
 Address: 2001 6th Avenue
 Address: Suite 3205
 City: Seattle
 StateProv: WA
 PostalCode: 98121
 Country: US
 
 ReferralServer: rwhois://rwhoisd.ccom.net:4321
 
 NetRange: 216.145.0.0 - 216.145.31.255
 CIDR: 216.145.0.0/19
 NetName: NETBLK-CCOM-1998
 NetHandle: NET-216-145-0-0-1
 Parent: NET-216-0-0-0-0
 NetType: Direct Allocation
 NameServer: NS1.CCOM.NET
 NameServer: NS2.CCOM.NET
 Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
 RegDate: 1998-12-10
 Updated: 2002-08-07
 
 RTechHandle: IC122-ARIN
 RTechName: COMPASS COMMUNICATIONS, INC.
 RTechPhone: +1-206-777-9988
 RTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
 
 OrgTechHandle: IC122-ARIN
 OrgTechName: COMPASS COMMUNICATIONS, INC.
 OrgTechPhone: +1-206-777-9988
 OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
 
 rwalker1x
 10 July, 2007 07:30
 
 Reply Vote
- Amen, brother
 
 .
 
 sackbut
 10 July, 2007 06:39
 
 Reply Vote
- It's the ads
 
 Most of the secondary scripts are ads, and many of them run scripts that put tracking cookies on your computer. By leaving then blocked, you avoid loading many ads, and you get a lot fewer tracking cookies (which is much more effective than the former pref to allow cookies "from the originating site only" - that was removed because it wasn't really effective and gave users a false sense of security).
 
 Greenknight_z
 11 July, 2007 00:26
 
 Reply Vote