Michael Horowitz

Exploiting the portable edition of Firefox

November 24, 2009 8:57 PM EST

I've been a Firefox enthusiast from the get-go. Initially my interest was due to Defensive Computing, Firefox didn't support ActiveX and BHOs making it safer by default.

Of course, much of the enthusiasm for Firefox is now driven by the many available extensions. But if there was ever a coin with two sides, this is it.

On the one hand, anyone can create a Firefox extension, which has given us thousands to chose from.

On the other hand, there is no security wall around Firefox extensions, they are given free reign within the browser.

Then too, Mozilla does no verification (that I know of) of extensions. An extension that does one thing, may also be doing something else under the covers. We wouldn't know.

When you install a Firefox extension, you are forced to trust a stranger. Not good Defensive Computing.

Like all software, Firefox extensions may be buggy or poorly written. Nothing new here, or so I thought until today. An article at Tech Republic by Michael Kassner discusses the exploitation of poorly-written extensions to install malware.

The article is a worthwhile read, but I don't think it offers optimal suggestions for end users. Specifically, in touting Firefox's safe mode to disable all extensions, the authors are assuming a single copy of Firefox. How quaint.

Portable Firefox lets Windows users run a dozen different copies of Firefox in a single instance of Windows. There is no required connection between portable applications and USB flash drives, they run just fine from internal hard drives.

A dozen, of course, is overkill, but for security reasons, you may want to maintain two copies of Firefox. You can have one copy configured for convenience, and one for security.*

There has always been, and will always be, a conflict between security and convenience. Most of the time we want convenience, but sometimes (think online banking) we need more security and should be willing, temporarily, to put up with some hassles for the added security.  

So, most of the time you can use a "convenient" copy of Firefox, one with all your favorite extensions. But, when doing financial transactions or making online purchases, switch to a copy of Firefox configured for maximum security.

For the absolute best security, I previously suggested booting a copy of Linux off a USB flash drive, SD memory card or CD, and running Firefox from within Linux. This remains, in my opinion, the safest option. But, the hassle factor is much higher than simply running another copy of Firefox from within Windows. Your choice.

Of course there is much more to browser security than just disabling extensions. I expect to write another few postings on the subject, including an idea for a home page that insures your DNS servers haven't been hijacked.

One tweak I wrote about back in February. A modification to the userChrome.css file can force Firefox to display a green address bar for all secure HTTPS web pages. That way, if you are victimized by a man in the middle attack that redirects secure pages to insecure ones, there is a fairly obvious visual indicator that you're no longer dealing with HTTPS.

Last week Mozilla announced a security improvement, called "component directory lockdown," in the upcoming Firefox version 3.6. The component directory is part of Firefox and some rogue software has apparently been silently installing itself there. Such software was not visible using the normal Firefox add-on and extension user interface. It also wasn't flagged for compatible versions, so a new version of Firefox might crash due to old software in the component directory.
 
I mention this because portable copies of Firefox are a bit more secure just by not being the normally installed copy. Other software can't find it.


*Portable Firefox also lets you kick the tires on a new version of Firefox while still running an older version. And its a great way to try out new extensions.