Mozilla Firefox

U_Mozilla_Firefox_V4R14_STIG_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V4R14 2015-12-30      
Update existing CKLs to this version of the STIG
Vuln Rule Version CCI Severity Title Description
SV-33373r1_rule DTBG010 - FireFox MEDIUM The DOD Root Certificate is not installed. The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.Information Assurance OfficerSystem AdministratorECSC-1
SV-16706r5_rule DTBF020 MEDIUM Firefox is configured to allow use of SSL 3.0. DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. Firefox has this set to on by default but this is not apparent in the GUI options screen.System AdministratorECSC-1
SV-16707r1_rule DTBF050 MEDIUM FireFox is configured to ask which certificate to present to a web site when a certificate is required. When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.System AdministratorECSC-1
SV-16709r1_rule DTBF100 MEDIUM Firefox automatically executes or downloads MIME types which are not authorized for auto-download. The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar. When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below. System AdministratorDCMC-1
SV-16710r3_rule DTBF105 MEDIUM Network shell protocol is enabled in FireFox. Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the underlying system. This check verifies that the default setting has not been changed. System AdministratorECSC-1
SV-16711r2_rule DTBF110 MEDIUM Firefox not configured to prompt user before download and opening for required file types. New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. System AdministratorECSC-1
SV-16712r1_rule DTBF120 MEDIUM FireFox plug-in for ActiveX controls is installed. When an ActiveX control is referenced in an HTML document, MS Windows checks to see if the control already resides on the client machine. If not, the control can be downloaded from a remote web site. This provides an automated delivery method for mobile code.System AdministratorECSC-1
SV-16713r1_rule DTBF140 MEDIUM Firefox formfill assistance option is disabled. In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.System AdministratorECSC-1
SV-16714r1_rule DTBF150 MEDIUM Firefox is configured to autofill passwords. While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. System AdministratorECSC-1
SV-16715r1_rule DTBF160 MEDIUM FireFox is configured to use a password store with or without a master password. Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.System AdministratorECSC-1
SV-16716r1_rule DTBF170 MEDIUM Firefox does not clear cookies upon closing. Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.System AdministratorECSC-1
SV-16717r1_rule DTBF180 MEDIUM FireFox is not configured to block pop-up windows. Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.System AdministratorECSC-1
SV-16718r1_rule DTBF181 MEDIUM FireFox is configured to allow JavaScript to move or resize windows. JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. System AdministratorECSC-1
SV-16924r4_rule DTBF010 MEDIUM The Firefox SSLV2 parameter is configured to allow use of SSL 2.0. Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs. System AdministratorECSC-1
SV-16925r2_rule DTBF030 MEDIUM Firefox is not configured to allow use of TLS. DoD implementations of SSL must use TLS in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.System AdministratorECSC-1
SV-16927r1_rule DTBF182 MEDIUM Firefox is configured to allow JavaScript to raise or lower windows. JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript. System AdministratorECSC-1
SV-16928r1_rule DTBF183 MEDIUM Firefox is configured to allow JavaScript to disable or replace context menus. A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.System AdministratorECSC-1
SV-16929r1_rule DTBF184 MEDIUM Firefox is configured to allow JavaScript to hide or change the status bar. When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.System AdministratorECSC-1
SV-16930r1_rule DTBF185 MEDIUM Firefox is configured to allow JavaScript to change the status bar text. JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window. This setting prevents the status bar from being hidden.System AdministratorECSC-1
SV-16931r1_rule DTBF130 MEDIUM Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page. Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. System AdministratorECSC-1
SV-16932r1_rule DTBF017 MEDIUM The Firefox browser home page is not set to blank or a trusted site. The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of script added to a previously safe site.System AdministratorECSC-1
SV-19509r1_rule DTBF003 HIGH Installed version of Firefox unsupported. Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. System AdministratorDCMC-1
SV-21887r1_rule DTBF080 MEDIUM Firefox application is set to auto-update. Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. System AdministratorECSC-1
SV-59603r1_rule DTBF090 MEDIUM Firefox automatically updates installed add-ons and plugins. Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.System AdministratorECSC-1
SV-21889r5_rule DTBF070 MEDIUM Firefox required security preferences cannot be changed by user. Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.jsSystem AdministratorECSC-1
SV-21890r1_rule DTBF085 CCI-000381 MEDIUM Firefox automatically checks for updated version of installed Search plugins. Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.System AdministratorECSC-1
SV-79381r1_rule DTBF186 MEDIUM Extensions install must be disabled. A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, a Chrome extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser. System Administrator