Michael Horowitz

How Internet Explorer can adversely affect Firefox

April 20, 2010 9:39 PM EDT

Although I live in Windows, I avoid Internet Explorer - its the Defensive Computing thing to do. My approach is the same as Steve Gibson's, we run IE once a month to install Microsoft patches, then ignore it until next month.

Not too long ago, on his Security Now! podcast, Gibson suggested further protection from IE by setting both the Internet and Intranet zones to "High" security levels. What the heck, I figured, an extra bit of safety can't hurt. But it did hurt, and thus, this blog posting.

The advice isn't new, of course, but I implemented it sometime early this year. Unfortunately, I also upgraded my main XP machine to service pack 3 around the same time. Thus, when Firefox acted up, I first suspected the service pack. False lead.

The problem was that Firefox couldn't download files. Rather than spend time researching it, I just ran Chrome the few times I needed to download a file from a website. Since the solution was so simple, the problem didn't rate much time or effort. My email program, Thunderbird, had no problem saving attached files, so I made due.

But recently, while listening to the March 18th edition of Security Now!,  I heard Steve and Leo Laporte discussing how this problem was widespread among their listeners, but limited to EXE files. Steve promised to look into it next week.

But it seems that he hasn't. A scan of the transcripts of the later shows found no mention of the problem.

Since the Security Now! listeners had done some of the legwork, and narrowed down the problem to Internet Explorer zones, the time had come to look into this.

THE PROBLEM

Very often the hardest part to solving a problem is fully understanding it. With that in mind, here are the gory details.

Raising the security level of the Internet Zone (Tools -> Internet Options -> Security tab) in Internet Explorer from the default level ("Medium-high") to "High" causes a problem for Firefox.  

Internet Explorer Internet Zone

I tested this on two XP SP3 machines. The first was running Internet Explorer 7 and had multiple copies of the portable edition of Firefox 3.6.x as well as a normally installed copy of Firefox 3.5.9. All instances of Firefox suffered the same problem. The second XP SP3 machine had IE 8 installed along with a non-portable copy of Firefox 3.5.9.

I hadn't noticed that the only files Firefox couldn't download were EXEs. After hearing this on the podcast, it was easy to confirm.

As you can see in the screen shot below of the Firefox Download Manager, the .gif and .doc were saved, only the .EXE files had their downloads canceled before they even started. Each time, an EXE file would get created in the local file system, but the file size was zero.

 Firefox download history 


Firefox couldn't save EXE files into any folder, not even My Documents. On both XP machines, the problem happened while logged on as an Administrator with no anti-malware software running. And, the problem was limited to Firefox, portable copies of Chrome v3 and v4 happily saved downloaded files anywhere, even when run with reduced rights via DropMyRights.

In a nutshell: lower the security level of the Internet zone in IE, and Firefox can save EXEs. Raise it and it can't.

THE SOLUTION
 
A visit to search engine land turned up an item at mozillazine.org called Unable to save or download files that addressed this issue directly (see the topic "Enable downloads blocked by Security Zone Policy").

It's not a bug it's a feature. Really.

As of version 3, Firefox does this on purpose. Fortunately, you can have high security in Internet Explorer and still be able to download EXE files in Firefox.

If you are running Firefox version 3.5.x or 3.7.x you can have your cake and eat it too, with a little work. Firefox version 3.6.x, however, requires opening the security clamp in IE just a bit.

Running the Chrome browser to download the occasional EXE, is looking better and better right about now.

In Firefox 3.5 and 3.7 you need to enter "about:config" (no quotes) in the address bar and click through the warning about voiding the warranty.

This displays a huge list of Firefox configuration options. What we normally see with Tools -> Options is only the tip of the iceberg. This is the iceberg.

But even this list isn't comprehensive, both browsers require us to add yet another option, one specifically for this issue. To add a new configuration option, right click over nothing, select New, then Boolean.

Adding a new configuration option to Firefox

 In Firefox 3.5.x the new option is called

browser.download.manager.skipWinSecurityPolicyChecks

and it should be set to True. In Firefox 3.7.x the new option is called

browser.download.manager.scanWhenDone

and it should be set to False.

I tested this with Firefox 3.5.9 on Windows XP SP3 with IE7 and IE8, and it worked fine. It takes effect immediately, you don't even need to restart the browser.

There is no configuration option for this in Firefox 3.6.x. Users of this version, need to either run a third browser to download EXE files or poke a hole in the IE lockdown.

To poke the hole, start with the Internet zone set to High then click on the "Custom level..." button. Scroll down to the option called "Launching Applications and Unsafe Files" which will be disabled. Change it to "prompt".

WINDOWS 7  
 
I wrote this posting on a Windows 7 machine, so, of course, I wanted to test the fix there too. Funny thing, Windows 7 does not have the problem at all.

With the Internet zone in IE8 set to High, and logged on as a standard (i.e. restricted/limited) user, Firefox 3.5.8 (normally installed) and 3.6.3 (portable) were both able to save EXE files anywhere in the C:\users\myuserid folder.

In the end, it turned out that IE did not screw up Firefox. Mozilla did.



Update April 21, 2010: The problem seems to be limited to Windows XP.

I tested this on a Vista system with IE7 installed while logged on as an Administrator. Both Firefox 3.0.15 and 3.6.3 were unaffected by the Internet Explorer setting for the Internet zone. I also tested while logged on as a standard user and Firefox 3.0.19 and 3.6.3 had no problem saving EXE files. The zone security level is per-user, not system wide, so I was sure to set it for each logged on Vista user. 


Update April 30, 2010:  Shortly after writing this, I experienced yet another problem, having to do with running EXEs rather than downloading them. See Yet another High Security Problem with Internet Explorer.