ush.it - a beautiful place

Clientside security: Hardening Mozilla Firefox

July 25, 2007 at 9:55 pm - Filed under aa, bb - 652 words, reading time ~2 minutes - Permalink - Comments

I'm sure you have already heard of the many external protocol handling vulnerabilities that hitted Firefox lately. Normally on this site you read about "in-security", this article is a little exception since it contains some tips that anybody can adopt to harden his preferred http/https client, also named Mozilla Firefox, thought the about:config interface.

First of all open about:config by typing it in the url bar, then follow the below instructions accurately. A backup is strongly encouraged.

The preferences are in the form "preference key TAB value to set TAB default value or not and eventual warnings". Let's start.

protocol-handler.external-default		false	not default

This is the most important setting and alone is able to block the majority of the public vulnerabilities that make use of external handlers/protocols. Naturally you want to go deeper so continue with the following.

network.protocol-handler.external.afp		false
network.protocol-handler.external.data		false
network.protocol-handler.external.disk		false
network.protocol-handler.external.disks		false
network.protocol-handler.external.hcp		false
network.protocol-handler.external.javascript	false
network.protocol-handler.external.mailto	false	not default
network.protocol-handler.external.ms-help	false
network.protocol-handler.external.news		false	not default
network.protocol-handler.external.nntp		false	not default
network.protocol-handler.external.shell		false
network.protocol-handler.external.snews		false	not default
network.protocol-handler.external.vbscript	false
network.protocol-handler.external.vnd.ms.radio	false

The above will disable external protocol handlers, mailto included (copy/paste will work naturally).

Warn if an external protocol handler is called (should never happens if you follow this howto literally).

network.protocol-handler.warn-external-default	true
network.protocol-handler.warn-external.file	true	not default
network.protocol-handler.warn-external.mailto	true	not default
network.protocol-handler.warn-external.news	true	not default
network.protocol-handler.warn-external.nntp	true	not default
network.protocol-handler.warn-external.snews	true	not default

Use the internal editor for source viewing.

view_source.editor.external			false

Don't expose (disable) ALL the protocol handlers.

network.protocol-handler.expose-all		false	not default (WW)

Pay attention, links will no more work, but i guess that you still want to click on http/https and ftp links. Logan on #firefox (irc.mozilla.org) was kind enough to point me to a bugzilla entry (https://bugzilla.mozilla.org/show_bug.cgi?id=317023) that solves the latter problem defining a whitelist of exposed protocols.

As said in the 317023 entry add these three keys (and any other protocol that you want to keep operative).

network.protocol-handler.expose.http		true	not default
network.protocol-handler.expose.https		true	not default
network.protocol-handler.expose.ftp		true	not default
network.protocol-handler.expose.javascript	true	not default

Disable existing protocol handlers.

network.protocol-handler.expose.mailto		false
network.protocol-handler.expose.news		false
network.protocol-handler.expose.nntp		false
network.protocol-handler.expose.snews		false

Privacy settings.

privacy.item.cache				true
privacy.item.cookies				true	not default
privacy.item.downloads				true
privacy.item.formdata				true
privacy.item.history				true
privacy.item.passwords				true	not default (!!)
privacy.item.sessions				true
privacy.item.siteprefs				true	not default (!!)
privacy.sanitize.promptOnSanitize		false	not default
privacy.sanitize.sanitizeOnShutdown		true	not default

References:

http://kb.mozillazine.org/About:config_entries
http://kb.mozillazine.org/Network.protocol-handler.expose-all
https://bugzilla.mozilla.org/show_bug.cgi?id=389106
https://bugzilla.mozilla.org/show_bug.cgi?id=317023
http://en.wikipedia.org/wiki/URI_scheme

Updates:

05-ago-2007: Updated the article with the tip from Gurmeet Kochar to make the javascript handler work again (add the network.protocol-handler.expose.javascript key with boolean value true).

Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network