Network News

X My Profile
View More Activity

Firefox 3 Follows IE7's Security Settings

Firefox 3 users, who also have jacked up the security settings on Microsoft's Internet Explorer 7 to their most paranoid level, may find it trickier to download files with Firefox due to key changes recently made by Mozilla.

In a Security Fix Live chat last Friday, a reader complained he or she couldn't download any file in Firefox unless she reduced the security settings in IE7. "I usually leave IE at high settings since I don't routinely use it....I tried reducing all the security settings in Firefox to make sure it wasn't the cause. And the problem exists without using noscript. Only reducing settings in IE allows downloads."

An alert reader called me on my advice to this questioner, directing my attention to a heated discussion thread on the subject at DSL Reports that I had actually read a few weeks prior (doh!).

Here's what's happening, according to Mozilla: "Starting in Firefox 3, downloads of executable files (e.g., .exe or msi) may fail and the Firefox Downloads window will contain this message under the filename:

- This download has been blocked by your Security Zone Policy

Mozilla says this issue occurs because, unlike previous versions of Firefox, the latest version now honors your Windows security settings for downloading applications, settings that are configured through IE.

This may seem like an abrupt about-face by Mozilla, and probably for some loyal Firefox users, too. But the company is clearly making a bigger play here for the corporate environment by attempting to respect the security settings already in place on the browser most commonly used by businesses.

The only way to change this behavior in Firefox appears to involve lowering IE's security settings. To change the setting, open Internet Options (via Control Panel or from Internet Explorer -> Tools) and click the Security tab. With the Internet zone icon highlighted, click the Custom level button. A list of security settings for the Internet zone will appear. Find the "Launching applications and unsafe files" setting (under Miscellaneous) and select "Prompt (recommended)." If this change doesn't do the trick, Mozilla offers a few more suggestions, at this link here.

Firefox 3 also by default scans all downloaded files with any anti-virus software installed on the host machine. Mozilla notes that "in some cases, this may cause a substantial delay in saving the downloaded file." Incidentally, this feature did not appear to invoke the anti-virus scanner installed on my test PC (NOD 32), but your anti-virus software may behave differently.

Firefox 3 users can disable the automatic virus scanning of downloads in Firefox 3 by typing "about:config" in the address bar, scrolling down to the "browser.download.manager.scanWhenDone" listing and setting it to "false".

What about you, Security Fix readers? How do you feel about these changes, and have you encountered them at home or in the workplace? Sound off in the comment section below.

By Brian Krebs  |  July 21, 2008; 3:09 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Study: Site Redirects Abundant, Aid Phishers
Next: One Spammer Jailed, Another Walks

Comments

I don't like the changes at all. I already disliked some of the visual differences, and if it's going to depend on IE settings, I may not install Firefox 3 on my home machines. I want Firefox to work independently of IE.

Posted by: Unhappy | July 21, 2008 3:49 PM | Report abuse

If Firefox continues down this path they turn Firefox into nothing but a IE clone.Not worth downloading.

Posted by: fcsanders | July 21, 2008 4:02 PM | Report abuse

i also notice that ff3 uses a lot of cpu cycles intermittently even when the browser is open but idle. is that because ff3 updates its blacklist more often than ff2?

Posted by: Anonymous | July 21, 2008 4:06 PM | Report abuse

The right thing to do would be to ask the users if they want to use IE7 settings.

But this is life. The upstart ends up joining the establishment...

Posted by: Tom | July 21, 2008 4:34 PM | Report abuse

This is crazy! I can see doing this by default, but there MUST be an about:config setting to turn this behavior off.

Posted by: Angus S-F | July 21, 2008 4:47 PM | Report abuse

This is not a mix of FF and IE but FF using the build-in security zones of windows to classify content based on trust level. I see this a a step forward to integrate FF into the windows world where you only need one set of zones instead of one per browser. Also this flags downloaded executables if they come from untrusted zones. Making windows able to verify that execution is intended before the execution actually starts.

I for one welcome this move.

Posted by: Morten | July 21, 2008 5:35 PM | Report abuse

I second what Morten said. I think that some are being distracted by the mention of ie7. This is a browser respecting operating system settings. Thats all.

Posted by: Patrick Huss | July 21, 2008 6:28 PM | Report abuse

I had the same "problem" you did with ESET Nod32 not scanning downloaded files. I believe it's because Windows Security Center said it "doesn't recognize" Nod32. But just in the last week or so I noticed that Windows Security Center changed its status page to indicate that it recognizes Nod32 and that it is running. Maybe Firefix issued a patch to correct the issue?
Anyway, I agree with most of Morten's post. Integrating the trust level functions doesn't bother me. But the fact is I'd like to be rid of IE all together except that I can't uninstall it and anyway it's needed for some Windows update or scan features. What bothers me is Active X executables. Does the integration mean that Firefox will allow Active X if IE does?

Posted by: Ozexpatriate | July 21, 2008 6:28 PM | Report abuse

@ Morten

But I thought integrating the browser into the OS was a bad thing? ;)

Posted by: TJ | July 21, 2008 6:40 PM | Report abuse

As Brian alluded to, this is Mozilla utilizing the integration of IE into Windows because it gives them an opportunity to piggyback on the use of group policy settings used in a corporate network that control configuration and security settings. Something FF would otherwise not be able to do itself.

Posted by: TJ | July 21, 2008 6:42 PM | Report abuse

I can see this being reasonable IF the vulnerability of the two browsers is the same to a particular attack. But if it is not (i.e., if IE can be easier tricked into running a downloaded application than Firefox), then it is not a good idea - while it may make sense for the default settings to be copied, and for a "reset to default from Windows" button to exist, fully automatic copying is not good.

Posted by: Allen Smith | July 21, 2008 7:48 PM | Report abuse

If the Firefox developers are bound and determined to make FF3 honor IE's settings &/or Group Policy settings, then why is it looking at the status of the "Launching applications and unsafe files" setting (under Miscellaneous) to permit or block downloading, when it could just as easily--and less misleadingly--look at the status of the "File download" setting (under Downloads) instead?
http://support.microsoft.com/kb/182569

Posted by: Mark Odell | July 21, 2008 8:17 PM | Report abuse

Firefox 3 sucks the banana big time. The new and improved bookmark feature is a complete disaster. It's as bad or worse than version 2. No problem though... uninstalled FF3 and reinstalled FF1.5. Mozilla is tanking I'm afraid. The mental recession is spreading.

Posted by: Rev. Dave | July 21, 2008 10:07 PM | Report abuse

How does this work on Mac and Linux boxes?

Posted by: wiredog | July 22, 2008 8:17 AM | Report abuse

Thanks Brian,

Say, what's the URL for Opera ?

Posted by: Home User | July 22, 2008 9:12 AM | Report abuse

With regard to FF making it into enterprise networks, I'm afraid it ain't gonna happen.

To be sure, IE is a security nightmare and FF is a better browser. However, most enterprises have developers developing specifically for IE...and have you ever tried browsing a Sharepoint intranet site with FF? You get authentication boxes every 10 seconds.

Finally, although FF would present some security improvements, at the end of the day, installation on enterprise desktops would just result in yet another desktop application which would need to be patched, maintained and upgraded like any other.

I wouldn't use anything else at home though!

Posted by: Nick | July 22, 2008 9:29 AM | Report abuse

I have been with Firefox since it came out. With version 3.0.1 having to lower IE settings to DL anything, I may as well be using IE. I did not think the day would come that I would use IE again, but The day has finally come. I will miss Firefox as I will be removing it from my computers.

Posted by: Larry | July 22, 2008 10:09 AM | Report abuse

I don't use Firefox (or IE, unless absolutely mandatory for Windows Updates), as I prefer Opera -- a much superior browser for quite a long time now.

Posted by: Jim | July 22, 2008 11:20 AM | Report abuse


Gawd! It wouldn't be so bad if FF3 *asked* you to follow IE or not, but to impose it on you? Whoa. THAT sounds like a tactic out of Redmond and it NOT acceptable. I think I'll stick with FF2 until the people at Mozilla get their heads unwedged.

Oh, and as to a comment from an earlier reply, most publicly accessible web pages are NOT IE-only. They know better or, if they don't, they lose 15 or 20% of their business.

Jeff B at Home

PS: I solve this problem at home by not using anything from Microsoft. No Microsoft, no problems.


Posted by: Jeff B at Home | July 22, 2008 11:37 AM | Report abuse

I have a policy of not upgrading anything until the bugs are fixed, and if they do not fix them, I never upgrade. It makes security tougher, but there are other ways to achieve that.

Posted by: Ed C | July 22, 2008 11:54 AM | Report abuse

Apparently, reading comprehension is too hard for many. It's a Windows security setting, people.

Posted by: Matt | July 22, 2008 4:16 PM | Report abuse

The problem is that Windows doesn't clearly distinguish what settings apply to IE or the machine as a whole. (Or settings that apply to one user account or machine-level settings.)

Very few people think of these settings as Windows settings, because they are generally accessed through IE.

Posted by: josef | July 22, 2008 4:45 PM | Report abuse

Yeah, I must confess that I for one don't like it one bit. For some time now I have the distinct impression Firefox/Mozilla is falling off bigtime. For a non-profit organisation they make way to much money and their decisions lately are very dissapointing. This is a good example, many of their loyal customers will not like this and yes to integrate a browser in to the os, is indeed a very bad idea. That's why most of us started using FF in the first place.
They should have asked, e.g give the user a possibility to configure the browser this way or not. IE is a security nightmare, don't forget that!

Posted by: John | July 22, 2008 6:34 PM | Report abuse

Like Matt said, its a Windows security setting, people. IE follows it (and is also integrated with it), and now Firefox follows it too. You can get there by going to Control Panel > Internet Options.

You'll notice that nowhere in my instructions did I say "Open Internet Explorer"...

If you don't want IE built into your operating system, then don't use Windows!!! People just like to complain, even if its for no reason.

But, seriously people, even if you had to open IE, how hard is it to open it and change your paranoid settings to default? And, if you don't even use IE in the first place, why do you care that its "super secure"? You only have to change it once, and that is only assuming that you ALREADY CHANGED IT in IE in the first place!

News flash! When you set Windows Internet Options to high security settings, you can't access everything anymore... Duh!

Posted by: reallybigname | July 22, 2008 7:27 PM | Report abuse

It doesn't matter if you disagree with the choices made by the people at Mozilla. The point of Firefox is that the source is open and anyone can modify it to fit their needs.

Posted by: Chris | July 22, 2008 7:28 PM | Report abuse

Wow... I'm surprised at the lack of comprehension most of these readers have. Mozilla finally lets firefox respect your system settings, and you have to complain about it? Man, people will complain about anything these days.

Posted by: Marcus | July 22, 2008 7:31 PM | Report abuse

Part of this is probably to let admins who have Group Policy settings for the Security Zone stuff allow FF. If I'm a network admin, and I set certain security policies, I want all software to follow them, regardless of what that software is.

Ed C, the very nature of bugs means that you will never install any software ever -- bugs are always going to make it into the final product and will be undetected until some future date.

Posted by: Admin | July 22, 2008 7:35 PM | Report abuse

One point; it's open source.
If you don't like something in Firefox, download the source and compile it yourself. I'm sick of people complaining about stuff like this on Firefox (and other open-source software) but do nothing about it. It's really not that hard to change a line or two of code and recompile.

Posted by: Thomas | July 22, 2008 7:36 PM | Report abuse

FF is respecting Windows Settings. It just happens most people edit these settings through IE. If you go to Control Panel it is call Internet Settings (not IE Settings, so one would assume that these are generic Internet Settings for Windows). If Windows provides settings about what files can be and can not be downloaded it FF should respect that. If you (or your sysadmin) has told windows not to download exe and msi and Firefox allows you to firefox is acting a security hole/workaround. Maybe another using useful one to add would be if you setup a proxy in the Internet Settings FF should pick that up as well instead of having to set the proxy in IE and FF separately. If FF was doing this would people be as concerned?

Posted by: Karit | July 22, 2008 7:44 PM | Report abuse

Why the heck would Firefox do anything IE? I dont get it. Nobody likes IE.

JT
www.Ultimate-Anonymity.com

Posted by: Jimmy Woods | July 22, 2008 7:45 PM | Report abuse

"If you don't like something in Firefox, download the source and compile it yourself. I'm sick of people complaining about stuff like this on Firefox (and other open-source software) but do nothing about it. It's really not that hard to change a line or two of code and recompile."

And I'm tired of open source advocates making these types of unrealistic statements. Most people are afraid of even opening a registry editor and you think they're going to recompile source code?

Posted by: TJ | July 22, 2008 7:59 PM | Report abuse

Windows users..... *rolls-eyes*........*SIGH*

Moves on to his next mouse *CLick*

D.

Posted by: DOUGman | July 22, 2008 8:01 PM | Report abuse

FF3 does not work with Hotmail's Personalized page, but Opera 9.5 does...

FF3 dones not work with Sungard, but now Opera 9.5 does...

Guess what I'm now using OPERA. It does what I need it to do the way I want it to ;)

Posted by: Now a Opera User | July 22, 2008 8:15 PM | Report abuse

I'm the guy who raised the original question. Firefox was sold as being more secure than IE, which is constantly attacked as being prone to malware. So, like the idiot some of you think I am, I switched to Firefox. And because I had heard that some viruses/spyware can infect a PC through IE even when not in use, I set security to high. So I thought there was some independence that doesn't turn out to exist, although it did in earlier versions of FF.

I think the answer is that the settings are really through windows,
as someone explained which is integrated with IE. If so, then I don't see how FF is more secure.

Posted by: ls | July 22, 2008 8:25 PM | Report abuse

As many others have said: just use Opera

http://www.Opera.com

:)

Posted by: D'n | July 22, 2008 9:26 PM | Report abuse

so if someone set their ie settings to low and keeps getting infected they would download ff3 that has the same settings and keep getting infected?

Posted by: remotefixonline.com | July 22, 2008 9:51 PM | Report abuse

OK, so maybe that explains why neither IE7 or IE8 beta 1 will actually load to my desktop ????????

If Firefox 3 is following IE security settings, the files for IE are on my computer and apparently available to Firefox settings ????

I am not as impressed with Firefox 3 as I was with Firefox 2. As Spyware & viruses increase, I can only imagine even more difficulties in the future.

I have yet to figure out how to open a download [or where to find it besides in the blue download bar] in Opera 9.5

Posted by: BRUCE R | July 22, 2008 11:07 PM | Report abuse

I could care less if the settings being honoured by FF3 belong to IE or Windows. I'm still using FF2 and I don't deliberately use IE for anything, but those who suggest I should reduce the IE/Windows settings from their current paranoid values in order to get FF3 to work are naive. Even if you never run IE intentionally, it *does* get run on occasion! Some apps embed an instance of IE. Windows itself uses obscured instances of IE for some "features". I set the relevant settings to paranoid levels to stop all that unnecessary security exposure and I do *not* intend to change that. I've always been specifically very happy that FF does *not* honour those crappy one-size-supposedly-fits-all-apps Internet settings. If that's changed for FF3, then I'm done with FF. Tying FF3 to Windows Internet Settings is nothing less than Mozilla enabling and promoting Microsoft security vulnerabilities. Shame on you, Mozilla!!!

Posted by: Angry Soon To Be Ex-Firefox User | July 22, 2008 11:21 PM | Report abuse

Let's see, permission for IE to launch unsafe files - Prompt or Disable? Hm. Why on Earth would the people at Mozilla hobble their excellent browser by subjecting it to the same rules that knowledgeable people are compelled to impose on the notoriously untrusted Internet Explorer? Their reasoning escapes me.

Posted by: Lawrence C | July 23, 2008 2:42 AM | Report abuse

IE is your GOD! Get down on your knees!! ha ha

Posted by: Waqas Yousaf | July 23, 2008 2:46 AM | Report abuse

The following explanation may be relevant.

1. Internet Security settings are set using the control panel/Internet Security.

2. IE7 imports these settings and and uses them.

3. When the settings are changed in IE, the windows settings also get changed. This is the source of confusion.

3. Firefox 3 imports these settings as they are and uses them.

4. Unfortunately, there is no way to change windows settings from within Firefox. This may be to avoid too many cooks.


Posted by: Krishna | July 23, 2008 10:51 AM | Report abuse

If the IE settings are really Windows settings, then how was I able to download using previous versions of FF while the IE settings were on high? Did this change with sp3?

But the bottom line is whether Firefox is really more secure than IE. Is that clear to anyone out there?

Posted by: ls | July 23, 2008 11:31 AM | Report abuse

I wonder what would happen if you ran FF3 in a Linux VM on your Windows box? Unfortunately the current Browser Appliance
http://www.vmware.com/appliances/directory/browserapp.html
has an old version of FF2.

Posted by: Angus S-F | July 23, 2008 11:38 AM | Report abuse

I'm not a PC user (Mac) but with respect to those suggesting looking a Opera browser, beware of the shared libraries between Opera and Adobe which wasn't a problem with previous versions of Opera but with Opera 9.5x can cause some older Adobe Creative Suite (CS2) packages not to load and run. Opera 9.5 updates libraries which wont' work with some CS2 packages.

Posted by: wsrphoto | July 23, 2008 11:41 AM | Report abuse

"But the bottom line is whether Firefox is really more secure than IE."

Using the latest versions of both, there really isn't a whole lot of difference. The real defense is whether you are running as the all powerful administrator account or as a limited user. Add in other layers of protection (defense in depth) and the issue is mute. It's the reason I've NEVER been compromised in any way using IE!

Computer security does not start or end with just the browser. To do so would be locking only your front door and leave all the other doors and windows unsecured. Doesn't make any sense and gives a false sense of security.

Posted by: TJ | July 23, 2008 12:03 PM | Report abuse

Whatever happened to thinking "outside the box"?

'Makes one wonder if Moz or Google is developing these things...

.

Posted by: J. Warren | July 23, 2008 1:31 PM | Report abuse

I'm with fcsanders. Another clone! Make FF3 settings in IE? I thought the whole idea of FF was to be *unique* and *different* from IE!

Placing FF3 settings in control of IE is pure hooee.

They want to appeal to the corporate world, eh? Put on some white shirts, ties, and follow on the path of the once-creative Microsoft. (Choke!)

Posted by: Albo P. Fossa | July 23, 2008 7:30 PM | Report abuse

@ Rev Dave:

You're spot on about the 'improved' Bookmarks function. It's klunky and there's no continuity fr/ the previous version.

The History function has also been trashed.
It's less flexible and user friendly. It's impossible to clear without using the "Clear Private Data" from the Tools menu.

R@ Chris:

Many users of Firefox appreciate its Open Source nature. But most of us are NOT programmers and would trash our machines if we tried our hand playing with the browser's code. You sound a bit like an ueber jock asking why ordinary duffers can't bench press 400 lbs!

Posted by: Kfritz | July 24, 2008 1:18 AM | Report abuse

The biggest mistake Firefox makes here is not offering choice to its users in for example about:config. Considering some of the comments about free software/open source and recompiling I see above: well, that's true, but there's also that other option: FORK. Can you say Iceweasel?

Posted by: Michiel | July 24, 2008 4:30 AM | Report abuse

Good time. And , [url=http://www.webmonkey.com/user/profile/m10w2]mature messy facial[/url],

Posted by: Gartman6 | July 24, 2008 5:48 AM | Report abuse

This is a GOOD THING!!!

Firefox now respects the operating system values for Internet Security.

These values are now used in both IE and Firefox.

The fact that they have been respected by IE for years, and that there is a option in IE to access the Windows control panel is irrelevant.

To me, this is a BUG fix. Before it wasn't respecting the system and network settings and now it does.

In reality, it would be nice if Microsoft didn't make obeying these policies optional for other applications - but I suppose they expected everyone to use they forsaken IE.

Posted by: Richard | July 24, 2008 7:10 AM | Report abuse

You know, it could be easier to just use IE7. I use it all the time, and don't have a problem like the past versions of IE. IE8's gonna be the bomb.

http://microsoft.com/ie7

Posted by: Quikboy | July 24, 2008 8:41 AM | Report abuse

darchi

Posted by: alleton | July 29, 2008 8:52 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company