Mozilla Firefox Security Technical Implementation Guide

V4R23 2018-09-17       U_Mozilla_FireFox_STIG_V4R23_Manual-xccdf.xml
V4R14 2015-12-30       U_Mozilla_Firefox_V4R14_STIG_Manual-xccdf.xml
The Mozilla Firefox Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 25
No Change 1
Updated 0
Added 24
Removed 0
V-6318 Added
Findings ID: DTBG010 Rule ID: SV-33373r5_rule Severity: medium CCI: CCI-000185

Discussion

The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.System AdministratorInformation Assurance Officer

Checks

Navigate to Tools >> Options >> Advanced >> Certificates tab >> View Certificates button. On the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4. If there are entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, select them individually. Click the "View" button. Verify the publishing organization is "US Government." If there are no entries for the DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, this is a finding. Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.

Fix

Install the DOD root certificates.
V-15768 Added
Findings ID: DTBF050 Rule ID: SV-16707r1_rule Severity: medium CCI: CCI-001274

Discussion

When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.System Administrator

Checks

Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering. Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.

Fix

Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it.
V-15770 Added
Findings ID: DTBF100 Rule ID: SV-16709r1_rule Severity: medium CCI: CCI-001242

Discussion

The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar. When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below. System Administrator

Checks

Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing. Criteria: Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column. If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding. If the extension exists but is not associated with an application, then this is a finding. Method 2: Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table. If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding. If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding. If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.

Fix

Remove any unauthorized extensions from the autodownload list.
V-15771 Added
Findings ID: DTBF105 Rule ID: SV-16710r3_rule Severity: medium CCI: CCI-000381

Discussion

Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the underlying system. This check verifies that the default setting has not been changed. System Administrator

Checks

Procedure: Open a browser window, type "about:config" in the address bar. Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding.

Fix

Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.
V-15772 Added
Findings ID: DTBF110 Rule ID: SV-16711r2_rule Severity: medium CCI: CCI-001243

Discussion

New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. System Administrator

Checks

Open a browser window, type "about:config" in the address bar. Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, then this is a finding: PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.

Fix

Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files. Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application rather than an add-on or plugin will not be used. (PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP)
V-15773 Added
Findings ID: DTBF120 Rule ID: SV-16712r1_rule Severity: medium CCI: CCI-001170

Discussion

When an ActiveX control is referenced in an HTML document, MS Windows checks to see if the control already resides on the client machine. If not, the control can be downloaded from a remote web site. This provides an automated delivery method for mobile code.System Administrator

Checks

Open a browser window, type "about:plugins" in the address bar. Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.

Fix

Remove/uninstall the Mozilla ActiveX plugin
V-15774 Added
Findings ID: DTBF140 Rule ID: SV-16713r1_rule Severity: medium CCI: CCI-000381

Discussion

In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.System Administrator

Checks

Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference “browser.formfill.enable" is set and locked to the value of “False”.
V-15775 Added
Findings ID: DTBF150 Rule ID: SV-16714r1_rule Severity: medium CCI: CCI-000381

Discussion

While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. System Administrator

Checks

In About:Config, verify that the preference name “signon.prefillForms“ is set to “false” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference " signon.prefillForms " is set and locked to the value of “False”.
V-15776 Added
Findings ID: DTBF160 Rule ID: SV-16715r2_rule Severity: medium CCI: CCI-000381

Discussion

Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.System Administrator

Checks

Type "about:config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference “signon.rememberSignons“ is set and locked to the value of “false”.
V-15777 Added
Findings ID: DTBF170 Rule ID: SV-16716r4_rule Severity: medium CCI: CCI-000169

Discussion

This setting specifies the number of days that Firefox keeps track of the pages viewed in the History List. If you enable this policy setting, a user cannot set the number of days that Firefox keeps track of the pages viewed in the History List. The number of days that Firefox keeps track of the pages viewed in the History List must be specified. If you disable or do not configure this policy setting, a user can set the number of days that Firefox tracks views of pages in the History List.System Administrator

Checks

Type "about:config" in the address bar of the browser. Verify that the preference "places.history.enabled" is set to “true”, and locked. If the parameter for the history preference is set incorrectly, this is a finding. If the setting is not locked, this is a finding.

Fix

Ensure the preference "places.history.enabled" is set and locked to the value of “true”.
V-15778 Added
Findings ID: DTBF180 Rule ID: SV-16717r1_rule Severity: medium CCI: CCI-000381

Discussion

Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.System Administrator

Checks

In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.
V-15779 Added
Findings ID: DTBF181 Rule ID: SV-16718r1_rule Severity: medium CCI: CCI-000381

Discussion

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. System Administrator

Checks

In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.
V-15983 Added
Findings ID: DTBF030 Rule ID: SV-16925r6_rule Severity: medium CCI: CCI-002450

Discussion

Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.System Administrator

Checks

Open a browser window, type "about:config" in the address bar. Verify Preference Name "security.enable_tls" is set to the value "true" and locked. Verify Preference Name "security.tls.version.min" is set to the value "2" and locked. Verify Preference Name "security.tls.version.max" is set to the value "3" and locked. Criteria: If the parameters are set incorrectly, then this is a finding. If the settings are not locked, then this is a finding.

Fix

Configure the following parameters using the Mozilla.cfg file: LockPref "security.enable_tls" is set to "true". LockPref "security.tls.version.min" is set to "2". LockPref "security.tls.version.max" is set to "3".
V-15985 Added
Findings ID: DTBF182 Rule ID: SV-16927r1_rule Severity: medium CCI: CCI-000381

Discussion

JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript. System Administrator

Checks

In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.
V-15986 Added
Findings ID: DTBF183 Rule ID: SV-16928r2_rule Severity: medium CCI: CCI-000381

Discussion

A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.System Administrator

Checks

Type "about:config" in the address bar of the browser. Verify that the preferences "dom.event.contextmenu.enabled" is set and locked to "false". Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, this is a finding.

Fix

Ensure the preferences "dom.event.contextmenu.enabled" is set and locked to "false".
V-15987 Added
Findings ID: DTBF184 Rule ID: SV-16929r1_rule Severity: medium CCI: CCI-000381

Discussion

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.System Administrator

Checks

Type "about:config" in the address bar of the browser. Verify that the preference “dom.disable_window_status_change" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "dom.disable_window_status_change" is set and locked to the value of “true”.
V-15988 Added
Findings ID: DTBF185 Rule ID: SV-16930r1_rule Severity: medium CCI: CCI-000381

Discussion

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window. This setting prevents the status bar from being hidden.System Administrator

Checks

In About:Config, verify that the preference “dom.disable_window_open_feature.status" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "dom.disable_window_open_feature.status" is set and locked to the value of “true”.
V-15989 Added
Findings ID: DTBF130 Rule ID: SV-16931r1_rule Severity: medium CCI: CCI-000366

Discussion

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. System Administrator

Checks

Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference “security.warn_leaving_secure" is set to “true” and locked on this setting.
V-17988 Added
Findings ID: DTBF003 Rule ID: SV-19509r2_rule Severity: high CCI: CCI-003376

Discussion

Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.System Administrator

Checks

Method 1: View the following registry key: HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint. Criteria: If the version number of the firefox.exe file is less than 50.1.x (or ESR 45.7.x), this is a finding.

Fix

Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.
V-19741 Added
Findings ID: DTBF080 Rule ID: SV-21887r3_rule Severity: medium CCI: CCI-000381

Discussion

Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.System Administrator

Checks

Type "about:config" in the browser window. Verify that: 1. The preference name "app.update.enabled" is set to ”true” and locked. 2. Verify that "app.update.url", "app.update.url.details", and "app.update.url.manual" contain url information that point to a trusted internal server or the default setting of “Mozilla.com” or “Mozilla.org”. Criteria: If the parameter is set incorrectly, this is a finding. If this setting is not locked, this is a finding.

Fix

Ensure the preference "app.update.enable" is set and locked to the value of “True” or that a trusted server is used.
V-19742 Added
Findings ID: DTBF090 Rule ID: SV-59603r1_rule Severity: medium CCI: CCI-000381

Discussion

Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.System Administrator

Checks

Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.

Fix

Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.
V-19743 Added
Findings ID: DTBF070 Rule ID: SV-21889r8_rule Severity: medium CCI: CCI-000366

Discussion

Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.jsSystem Administrator

Checks

Verify that required settings are marked as locked in "about:config". Verify that "mozilla.cfg" file is used to lock required security settings. If settings are enable, and not locked, this is a finding. Sample file: // lockPref("browser.download.dir", "N:"); lockPref("browser.download.downloadDir", "N:"); lockPref("app.update.enabled", false); lockPref("extensions.update.enabled", false); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.search.update", false); lockPref("browser.formfill.enable", false); lockPref("signon.prefillForms", false); lockPref("dom.disable_open_during_load", true); lockPref("dom.disable_window_move_resize", true); lockPref("dom.event.contextmenu.enabled", false); lockPref("dom.disable_window_status_change", true); lockPref("dom.disable_window_flip", true); lockPref("dom.disable_window_open_feature.status", true); lockPref("security.warn_leaving_secure", true); lockPref("security.default_personal_cert", "Ask Every Time"); lockPref("signon.rememberSignons", false); lockPref("xpinstall.whitelist.required", true); lockPref(“network.protocol-handler.external.shell”,false); lockPref("security.tls.version.min" ,"2"); lockPref(“security.tls.version.max", "3"); lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); lockPref("privacy.item.history", false) Note: Append line into local-settings.js file to include in the Mozilla config file.

Fix

Ensure the required settings in "about:config" are locked using the "mozilla.cfg" file.
V-19744 No Change
Findings ID: DTBF085 Rule ID: SV-21890r1_rule Severity: medium CCI: CCI-000381

Discussion

Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.System AdministratorECSC-1

Checks

Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked.

Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix

Ensure the preference "browser.search.update" is set and locked to the value of “False”.
V-64891 Added
Findings ID: DTBF186 Rule ID: SV-79381r2_rule Severity: medium CCI: CCI-000381

Discussion

A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, a Chrome extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser.System Administrator

Checks

Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "xpinstall.enabled" and set the value to “false” and locked. Criteria: If the value of “xpinstall.enabled” is “false”, this is not a finding. If the value is locked, this is not a finding.

Fix

Set the preference “xpinstall.enabled” to “false” and lock using the “mozilla.cfg” file. The “mozilla.cfg” file may need to be created if it does not already exist.
V-79053 Added
Findings ID: DTBF190 Rule ID: SV-93759r1_rule Severity: medium CCI: CCI-000381

Discussion

There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.

Checks

Type "about:config" in the address bar of the browser. Verify that the preferences "datareporting.policy.dataSubmissionEnabled" is set and locked to "false". Criteria: If the parameter is set incorrectly, this is a finding. If the setting is not locked, this is a finding.

Fix

Ensure the preferences "datareporting.policy.dataSubmissionEnabled" is set and locked to "false".