9

I noticed that Firefox, unlike Chrome and Internet Explorer, doesn't run in the Low Mandatory Level (aka Protected Mode, Low Integrity)

Google Chrome:

alt text

Microsoft Internet Explorer:

enter image description here

Mozilla Firefox:

alt text

Following Microsoft's instructions, I can manually force Firefox into Low Integrity Mode by using:

icacls firefox.exe /setintegritylevel Low

However Firefox doesn't react well to not running with enough rights:

alt text

I like the security of knowing that my browser is running with less rights than I have. Is there a way to run Firefox into low rights mode? Is Mozilla planning on adding "protected mode" sometime? Has someone found a workaround to Firefox not handling low rights mode?

Update

From a July 2007 interview with Mike Schroepfer, VP of Engineering at the Mozilla Foundation:

...we also believe in defense in depth and are investigating protected mode along with many other techniques to improve security for future releases.

After three years it doesn't seem like it is a priority.

Update

  • 9/28/2013
  • 5 years later
  • Firefox 24.0
  • still doesn't support protected mode
Ian Boyd
  • 23,066

4 Answers4

4

Unfortunately there is currently no way of running Firefox in Protected Mode.

If you're not running 64-bit Windows, you can get something somewhat similar using Sandboxie.

Dan Walker
  • 9,397
1

You can run Firefox in low integrity mode using the following commands:

icacls "C:\Program Files\Mozilla Firefox\Firefox.exe" /setintegritylevel low
icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel(oi)(ci) low /t

icacls "C:\Users\*username*\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\Downloads" /setintegritylevel(oi)(ci) low /t

Note that you'll need to run the second batch for each user on your system, customising username, otherwise they'll get a "Firefox is already running" message box.

However this setup does cause the following quirks:

  1. Profile manager may not behave correctly.
  2. You'll get a security warning every time you start Firefox.
  3. Downloads can only be placed in low integrity directories (hence Downloads is marked as low integrity above).
  4. Opening downloads directly from Firefox will generally fail.
Simon Capewell
  • 19
0

Ian, you do not understand how protected mode works. Simon Capewell's solution is a valid way to increase the security of Firefox. You example, asserting that his solution somehow disables the entirety of the protection of low integrity level is completely false. Chrome and IE use the same methods, as downloads are written to the download folder even under protected mode IE. Otherwise, you would be unable to download anything. Although IE may use a wrapper of sorts, thus isolating the main process from those that process untrusted data for added security as Chrome does, this is moot as in the above described methods, all components of Firefox are isolated from tampering with the system. Whereas, in Chrome, the main process runs at Medium integrity and the rendering processes at Low integrity.

Configuring Firefox in this way protects Windows and Program Files from modification, thus isolating Firefox from the rest of your machine. Firefox is prevented from dropping malware into your Startup folder, for example, or adding a registry entry which automatically starts malware dropped into your downloads folder (which firefox is allowed to write to) at startup. Additionally, running Firefox as low integrity level protects against Firefox attempting to bypass the ACLs enforced upon it by methods such as creating a thread in a remote process in order to run code in the security context of that process. Firefox is still allowed to drop files into Temporary Folders, and potentially executables, as are Chrome and IE. Thus, integrity levels must be combined with SRP or AppLocker, in order to prevent the execution of any executables dropped into the directories which Firefox is allowed to write to. This requirement is also present with IE and Chrome.

Once done, Firefox will be hardened against drive-by downloads and be protected more so than IE, as Protected Mode IE does not, when not combined with SRP or Applocker, provide sufficient protection. In no way is allowing Firefox to write to its own directory and temporary folders any different from what Protected Mode Chrome and Protected Mode IE are allowed to do.

The only pitfall from this solution: I have a bad habit of leaving executables inside my Downloads folder, which I later run. These executables could potentially be tampered if Firefox is exploited after they are downloaded. Thus, after downloading a file, move it out of the Downloads folder. There is also a very small risk of a vulnerability in Firefox being exploited in order to modify a temporary file in the allowed temporary folder which then exploits a vulnerability in a higher integrity level process when it uses that temporary file. However, this will never happen and is only a theoretical vulnerability.

Further reading/Sources:

Windows 7 SRP (works on Home Premium, although you do not have AppLocker):

http://www.wilderssecurity.com/showthread.php?t=262686

Integrity Levels:

http://www.symantec.com/connect/articles/introduction-windows-integrity-control

Protected Mode IE:

http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

Basic Information about "Drive-by Downloads":

http://www.wilderssecurity.com/showthread.php?t=241732

Details of Chrome on Windows Sandboxing (its more than just integrity levels):

http://www.chromium.org/developers/design-documents/sandbox

Gareth
  • 19,080
-1

SRP is not necessary, as processes executed by a low integrity level process inherit low integrity level themselves. However, it is another layer of protection, and thus still a good idea!