Securing Firefox: How to avoid hacker attacks on Mozilla's browser

Securing Firefox: How to avoid hacker attacks on Mozilla's browser

Summary: Here are several configuration settings you can make to reduce the attack surface on Mozilla's open-source Firefox browser.


 |  Image 1 of 11

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers.

    However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.

    The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks.

    To get started, select Tools, then Options.

    IMPORTANT NOTE: The images from these CERT/CC recommendations came from an older version of Firefox. On newer versions, the display screens will vary slightly but the advice/recommendations still apply.

  • In the General tab, you can manually set your home page and check to ensure Firefox is your default browser.

Topics: Open Source, Browser, Hardware, Legal, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Internet Explorer and Specific JavaScript Features

    Well, I guess Internet Explorer 7 doesn't have the ability to disable JavaScript features, like the resizing of windows, preventing context menu from opening (which I don't like it), disabling shortcut keys, etc.

    It's not just a matter of switching to Firefox (which is not my preference) but I'm hoping Microsoft would implement the checkboxes to disable certain JavaScript features...
    Grayson Peddie
  • NoScript!

    The most important security add-on to firefox if you want to lock down the browser is NoScript. Not only does it have built-in XSS protection, but it will also sanitize Flash, Java, /and/ Javascript on a per-domain basis. That's much more secure than trying to live without javascript on all sites (which will just drive you to enable it dozens of times a day to use sites that require it).
    • NoScript!

      I've my enterprise PCs secured, in part, with NoScript, as well as having trained my family and friends on using it.
    • NoScript!

      If you install only one add-on it *HAS* to be NoScript!

      Magic, there's no other word for it.
    • Yes, NoScript is required equipment

      I consider NoSCript a REQUIREMENT, not an optional add on. Install it, learn it real quick, and use it. Do not just allow everything, be selective.
  • What version are these screen shots from?

    They don't appear to be from the latest version ( V 1.5 maybe?
    • Ha ha

      They must be so embarrassed
    • ???

      Read the blog, try to understand it, then post. It was prominent in the blog that the screen shots were from an EARLIER version.

      And so much for the "ha, ha". Only embarrassment is yours-they were plain enuff.
      • Read it - it's still puzzling

        Why would someone put up a how-to on an outdated version? I look forward to ZD's series on how to secure Windows 95.
    • RE: What version are these screen shots from?

      "<i>They don't appear to be from the latest version ( V 1.5 maybe?</i>"<br><br>

      The latest version I believe is (its even mentioned in the article)
      • screen shots

        the screen shots do are not from 2,0,0,11 which I have
        • You read but didn't comprehend

          Again I repeat the quote with the key part highlighted:<br>"They don't appear to be from <b>the latest version</b> ( V 1.5 maybe?"<br><br>I wasn't refering to the screen shots but what they said the latest version was. The poster said the latest version was when the current one is<br><br>Though now I'd like to correct myself since after I posted I noticed the date the comment I was posting in response too was older than I realized and it's possible could have been the current version at time of posting.
  • The option to

    enable cookies for the original site only is unfortunately no longer available in the latest [b]FF[/b] toolbar, which I run on both [b]Windows XP[/b] and [b]Ubuntu 7.04[/b] (I haven't checked [b]Gran Paradiso 3.0a6[/b], which I'm using in a [b]Vista[/b] partion). [b]NoScript[/b], which I run on all three partitions is a wonderful tool, which allows one to choose which sites are permitted to run script. The problem is that very few sites run a single script - when reading this particular article, for example, I am asked not only to determine whether I should allow script from [b][/b] (which I of course do - surely those lovely people at [b]ZDNet[/b] would [u]never[/u] do anything to harm me !), but also to do the same thing for [b][/b] and [b][/b], about which I know very little. Googling takes me to [b][/b]'s website, which offers me ?rich media solutions?, but when I attempt to connect to [b][/b], I am informed that [b]Firefox[/b] is unable to find the server. Some sites, like those for major newspapers, will be coupled to upwards of ten of these subsidiary sites, most of which presumably count the number of visitors, and all of which clamor for attention in [b]NoScript[/b]. Under these circumstances, your average user is probably going to click to permit all of them simply to get rid of that annoying [b]NoScript[/b] yellow warning bar at the bottom of the active window, thus greatly reducing the tool's usefulness as a security device. Websites badly need cleaning up, so that users aren't confronted with a plethora of URLs, all requesting access to their computers....

    • Why not set NoScript to not warn you?

      NoScript marks any site that you don't allow as untrusted. I just allow the main ZDNet site. Who needs the other stuff, I'm reading the blogs, not the ad's or the counters or the flash or the Java. <br><br>
      I also use flash block and Adblock with good results.
      • An interesting alternative,

        but imagine the situation from the point of view of the novice. Perhaps he or she wants to be able to make use of a link to view another article or see a screenshot slide-show, and doesn't know what to block and what not to block in [b]NoScript[/b]. To mind, the owner of the main site - in this case, [b]ZDNet[/b] - bears a certain responsibility to its readers to inform them which sites coupled to his/her/its own are essential for making use of links provided on the site and which are not, and to guarantee that the ones that are are not infected. (I understand perfectly well that in these situations, no guarantee can be 100 % - even the best of sites can become infected - but in the business world there exists a concept known as ?due diligence? which I find applicable here.) I think a discussion of the responsibility of website owners to readers in this regard is long overdue, and that [b]Ryan[/b]'s blog would be a not inappropriate venue for it. What does [b]Ryan[/b] himself have to say on this matter ?...

        • I've run into that situation often, but...

          I somehow manage to get through it. Things like double-click and the like, I blacklist, and for the uncertain stuff that may or may not be blocking my viewing, I temporarily allow them one by one till the site works for me. If I don't trust that site, I just go away.

          Even then, NoScript is better than no NoScript.
          D. W. Bierbaum

      I've got to wonder who bought that domain...? :p
      Grayson Peddie
      • Whois Info for

        Here is the domain and whois information for

        [b]DNS Lookup For[b/]

        ;; Answer received from (82 bytes)
        ;; id = 10362
        ;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
        ;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
        ;; qdcount = 1 ancount = 0 nscount = 1 arcount = 0

        ;; QUESTION SECTION (1 record)
        ;; IN A

        ;; ANSWER SECTION (0 records)

        ;; AUTHORITY SECTION (1 record) 300 IN SOA (
        2007070600 ; Serial
        600 ; Refresh
        300 ; Retry
        1209600 ; Expire
        300 ) ; Minimum TTL
        ;; ADDITIONAL SECTION (0 records)

        [b]IP Information for[b/]
        IP Location: United States United States Seattle Compass Communications Inc
        Revolve Host: 76400 IN PTR
        IP Address: [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
        Blacklist Status: Clear

        [b]Whois Record[/b]

        OrgName: Compass Communications, Inc.
        OrgID: CPCM
        Address: 2001 6th Avenue
        Address: Suite 3205
        City: Seattle
        StateProv: WA
        PostalCode: 98121
        Country: US

        ReferralServer: rwhois://

        NetRange: -
        NetName: NETBLK-CCOM-1998
        NetHandle: NET-216-145-0-0-1
        Parent: NET-216-0-0-0-0
        NetType: Direct Allocation
        NameServer: NS1.CCOM.NET
        NameServer: NS2.CCOM.NET
        RegDate: 1998-12-10
        Updated: 2002-08-07

        RTechHandle: IC122-ARIN
        RTechPhone: +1-206-777-9988
        RTechEmail: Whois Privacy and Spam Prevention by

        OrgTechHandle: IC122-ARIN
        OrgTechPhone: +1-206-777-9988
        OrgTechEmail: Whois Privacy and Spam Prevention by
    • Amen, brother

    • It's the ads

      Most of the secondary scripts are ads, and many of them run scripts that put tracking cookies on your computer. By leaving then blocked, you avoid loading many ads, and you get a lot fewer tracking cookies (which is much more effective than the former pref to allow cookies "from the originating site only" - that was removed because it wasn't really effective and gave users a false sense of security).