How to run Firefox in Protected Mode? (i.e. at low integrity level)

9

3

I noticed that Firefox, unlike Chrome and Internet Explorer, doesn't run in the Low Mandatory Level (aka Protected Mode, Low Integrity)

Google Chrome:

alt text

Microsoft Internet Explorer:

enter image description here

Mozilla Firefox:

alt text

Following Microsoft's instructions, I can manually force Firefox into Low Integrity Mode by using:

icacls firefox.exe /setintegritylevel Low

However Firefox doesn't react well to not running with enough rights:

alt text

I like the security of knowing that my browser is running with less rights than I have. Is there a way to run Firefox into low rights mode? Is Mozilla planning on adding "protected mode" sometime? Has someone found a workaround to Firefox not handling low rights mode?

Update

From a July 2007 interview with Mike Schroepfer, VP of Engineering at the Mozilla Foundation:

...we also believe in defense in depth and are investigating protected mode along with many other techniques to improve security for future releases.

After three years it doesn't seem like it is a priority.

Update

  • 9/28/2013
  • 5 years later
  • Firefox 24.0
  • still doesn't support protected mode

Ian Boyd

Posted 2009-08-27T12:38:51.883

Reputation: 18 244

Jeez, why does IE get the "bad security" rap? – Mark Sowul – 2013-11-30T18:43:34.007

Answers

4

Unfortunately there is currently no way of running Firefox in Protected Mode.

If you're not running 64-bit Windows, you can get something somewhat similar using Sandboxie.

Dan Walker

Posted 2009-08-27T12:38:51.883

Reputation: 8 869

4I just did a quick search through Mozilla's bugtracker and found nothing concerning integrity levels. This suggests that it is indeed as of now unplanned to support them. Given my previous experience with their bug tracking system and the developers, though, I think two options are plausible: (1) If I would open a ticket asking for integrity level support it'd get closed within half an hour as duplicate of another ticket with a name no-one searching for it could guess and (2) the very idea of supporting Windows-specific functionality would scare many developers there. – Joey – 2009-08-27T15:51:40.663

i never realized that Firefox exists on platform besides Windows. It makes sense that there's a Mac and Linux version, i only ever saw a Windows download. – Ian Boyd – 2009-08-27T20:49:55.493

I think free and available VM appliances have stolen the thunder from sandboxing. – kmarsh – 2009-08-27T21:47:44.797

Oh, and btw, the answer "Can't do it" was marked as the answer, because "Can't do it" is a valid answer. – Ian Boyd – 2009-11-03T15:33:43.003

1

You can run Firefox in low integrity mode using the following commands:

icacls "C:\Program Files\Mozilla Firefox\Firefox.exe" /setintegritylevel low
icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel(oi)(ci) low /t

icacls "C:\Users\*username*\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
icacls "C:\Users\*username*\Downloads" /setintegritylevel(oi)(ci) low /t

Note that you'll need to run the second batch for each user on your system, customising username, otherwise they'll get a "Firefox is already running" message box.

However this setup does cause the following quirks:

  1. Profile manager may not behave correctly.
  2. You'll get a security warning every time you start Firefox.
  3. Downloads can only be placed in low integrity directories (hence Downloads is marked as low integrity above).
  4. Opening downloads directly from Firefox will generally fail.

Simon Capewell

Posted 2009-08-27T12:38:51.883

Reputation: 19

It should be noted, to anyone coming along, that performing these steps will essentially defeat the purpose of "proteted mode Firefox". By allowing FireFox to write to other locations (Temp, Mozilla, Downloads) you remove the purpose of having FF running at the Low mandatory integrity level. What's worse is that now all low privilege applications (i.e. ie, Chrome, my media player) can write to those locations. In other words: not only do you not gain anything here, you actually lose security. You're better off running FF as a standard user, and leaving the other folders alone. – Ian Boyd – 2010-05-15T17:45:34.270

But having said all that, i still give the article a +1, because it helps to illustrate how Low privelage applications can only write to specific locations. But once again: Do not what this answer says. It's an example of a bad solution - like changing the permissions on Windows & Program Files folder to allow everyone full access, because one program wants to be able to write there.

You're making things worse. – Ian Boyd – 2010-05-15T17:47:20.927

0

Ian, you do not understand how protected mode works. Simon Capewell's solution is a valid way to increase the security of Firefox. You example, asserting that his solution somehow disables the entirety of the protection of low integrity level is completely false. Chrome and IE use the same methods, as downloads are written to the download folder even under protected mode IE. Otherwise, you would be unable to download anything. Although IE may use a wrapper of sorts, thus isolating the main process from those that process untrusted data for added security as Chrome does, this is moot as in the above described methods, all components of Firefox are isolated from tampering with the system. Whereas, in Chrome, the main process runs at Medium integrity and the rendering processes at Low integrity.

Configuring Firefox in this way protects Windows and Program Files from modification, thus isolating Firefox from the rest of your machine. Firefox is prevented from dropping malware into your Startup folder, for example, or adding a registry entry which automatically starts malware dropped into your downloads folder (which firefox is allowed to write to) at startup. Additionally, running Firefox as low integrity level protects against Firefox attempting to bypass the ACLs enforced upon it by methods such as creating a thread in a remote process in order to run code in the security context of that process. Firefox is still allowed to drop files into Temporary Folders, and potentially executables, as are Chrome and IE. Thus, integrity levels must be combined with SRP or AppLocker, in order to prevent the execution of any executables dropped into the directories which Firefox is allowed to write to. This requirement is also present with IE and Chrome.

Once done, Firefox will be hardened against drive-by downloads and be protected more so than IE, as Protected Mode IE does not, when not combined with SRP or Applocker, provide sufficient protection. In no way is allowing Firefox to write to its own directory and temporary folders any different from what Protected Mode Chrome and Protected Mode IE are allowed to do.

The only pitfall from this solution: I have a bad habit of leaving executables inside my Downloads folder, which I later run. These executables could potentially be tampered if Firefox is exploited after they are downloaded. Thus, after downloading a file, move it out of the Downloads folder. There is also a very small risk of a vulnerability in Firefox being exploited in order to modify a temporary file in the allowed temporary folder which then exploits a vulnerability in a higher integrity level process when it uses that temporary file. However, this will never happen and is only a theoretical vulnerability.

Further reading/Sources:

Windows 7 SRP (works on Home Premium, although you do not have AppLocker):

http://www.wilderssecurity.com/showthread.php?t=262686

Integrity Levels:

http://www.symantec.com/connect/articles/introduction-windows-integrity-control

Protected Mode IE:

http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx

Basic Information about "Drive-by Downloads":

http://www.wilderssecurity.com/showthread.php?t=241732

Details of Chrome on Windows Sandboxing (its more than just integrity levels):

http://www.chromium.org/developers/design-documents/sandbox

user38017

Posted 2009-08-27T12:38:51.883

Reputation:

1It doesn't matter the number of common locations you removed Low Integrity protection from. Adding certain locations to be no longer protected is defeating the purpose of protected mode. You made a judgement call in your own mind that writing to Temp, and the Mozilla AppData folder is an acceptable tradeoff; because we all know that really we want to prevent programs from accessing Windows and ProgramFiles. Problem is: i don't know what FF stores in AppData\Mozilla, but i sure don't want malware poisoning the update URLs or modifying my extensions. That's the point of security. – Ian Boyd – 2010-05-23T14:40:39.423

So you don't believe it is worth using Firefox under Protected Mode because Firefox itself might be compromised?

IE itself can be itself be theoretically compromised, even while running under protected mode. The goal of Protected Mode is isolation of the system from processes which interface with untrusted data, and thus may be exploited to compromise the rest of the system, not protection of the program from itself. Under medium integrity, Firefox can already write to Temp and AppData, thus preventing rights to all other locations is clearly a significant gain in security. – None – 2010-05-24T03:10:52.730

That said, if you're concerned with the integrity of your extensions, which is understandable if you seek to protect passwords, you simply need to refine the integrity level rules.

integrity levels do not prevent read or execute operations above an application's integrity level. Only mark the Temporary folder as allowed, and any configuration file locations you want Firefox to write to, making sure to exclude the extension folder found in AppData.

update URLs are not stored in user accessible configuration: http://kb.mozillazine.org/About:config_entries#Update._and_Update_notifications.

– None – 2010-05-24T03:18:54.787

ProcessMonitor can be helpful for determining which operations an application is attempting to perform that are being denied due to its integrity level.

Simply set filters for Application name=theappinquestion.exe and Result=ACCESS DENIED, and you can easily refine the integrity levels of any files or registry keys needed. Files with icacls, reg keys with regil (http://www.minasi.com/apps/). Using this method, I was able to configure SC2 beta to run in low integrity mode in under 5 minutes.

– None – 2010-05-24T03:24:02.140

i think everyone's missing the fact that i run other software at the Low Mandatory Integrity level; programs besides ie and Chrome (or FireFox). Example is a media player; i want code execution from a buffer overflow in a codec to not be allowed to write to anything except the two allowed locations. And i definitely don't want the code to be able to write to my Downloads folder, my Temp folder, or be able to modify settings related to Firefox. i should not be lifting security barriers on my computer to make one program work, the program should bend to the security barriers. – Ian Boyd – 2010-05-24T15:18:45.107

-1

SRP is not necessary, as processes executed by a low integrity level process inherit low integrity level themselves. However, it is another layer of protection, and thus still a good idea!

user38043

Posted 2009-08-27T12:38:51.883

Reputation:

Asked: 2009-08-27T12:38:51.883

Viewed: 9 356 times

Active: 2013-09-28T22:52:44.313