Mozilla Firefox V4R13

b

The DOD Root Certificate is not installed.

Medium - V-6318 - SV-33373r1_rule

RMF Control

Severity

M

CCI

Version

DTBG010 - FireFox

Vuln IDs

V-6318

Rule IDs

SV-33373r1_rule

The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-16602r1_chk

Procedure: Use the Tools/Options/Advanced/Encryption dialog. On the Select the View Certificates button. On the Certificate Manager window, select the Authorities tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entry for the DoD Root CA 2. If there is an entry for the DoD Root CA 2, select the entry and then the View button. On the Certificate Viewer window, determine the value of the MD5 Fingerprint field. Criteria: If there is no entry for the DoD Root CA 2, then this is a Finding. If the value of the MD5 Fingerprint field of the DoD Root CA 2 certificate is not: 47:78:92:DB:8A:EC:1B:53:68:F0:1D:00:9C:34:77:5E, then this is a Finding. If the value of the SHA1 Fingerprint field of the DoD Root CA 2 certificate is not: 8C:94:1B:34:EA:1E:A6:ED:9A:E2:BC:54:CF:68:72:52:B4:C9:B5:61, then this is a Finding.

Fix: F-5841r1_fix

Install the DOD root certificate.

b

Firefox is configured to allow use of SSL 3.0.

Medium - V-15767 - SV-16706r4_rule

RMF Control

Severity

M

CCI

Version

DTBF020

Vuln IDs

V-15767

Rule IDs

SV-16706r4_rule

DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. Firefox has this set to on by default but this is not apparent in the GUI options screen.System AdministratorECSC-1

Checks: C-16453r5_chk

Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl3" and set the value to "true" or “false” and locked. Criteria: If the value of "security.enable_ssl3" is "true" or “false”, this is not a finding. If the value is locked, this is not a finding.

Fix: F-15956r4_fix

Set the preference "security.enable_ssl3" to "true" or “false” and lock using the Mozilla.cfg file.

b

FireFox is configured to ask which certificate to present to a web site when a certificate is required.

Medium - V-15768 - SV-16707r1_rule

RMF Control

Severity

M

CCI

Version

DTBF050

Vuln IDs

V-15768

Rule IDs

SV-16707r1_rule

When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.System AdministratorECSC-1

Checks: C-16611r1_chk

Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering. Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.

Fix: F-15985r1_fix

Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it.

b

Firefox automatically executes or downloads MIME types which are not authorized for auto-download.

Medium - V-15770 - SV-16709r1_rule

RMF Control

Severity

M

CCI

Version

DTBF100

Vuln IDs

V-15770

Rule IDs

SV-16709r1_rule

The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar. When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below. System AdministratorDCMC-1

Checks: C-16614r1_chk

Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing. Criteria: Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column. If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding. If the extension exists but is not associated with an application, then this is a finding. Method 2: Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table. If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding. If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding. If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.

Fix: F-15987r1_fix

Remove any unauthorized extensions from the autodownload list.

b

Network shell protocol is enabled in FireFox.

Medium - V-15771 - SV-16710r3_rule

RMF Control

Severity

M

CCI

Version

DTBF105

Vuln IDs

V-15771

Rule IDs

SV-16710r3_rule

Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the underlying system. This check verifies that the default setting has not been changed. System AdministratorECSC-1

Checks: C-16615r2_chk

Procedure: Open a browser window, type "about:config" in the address bar. Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding.

Fix: F-15988r3_fix

Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.

b

Firefox not configured to prompt user before download and opening for required file types.

Medium - V-15772 - SV-16711r2_rule

RMF Control

Severity

M

CCI

Version

DTBF110

Vuln IDs

V-15772

Rule IDs

SV-16711r2_rule

New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. System AdministratorECSC-1

Checks: C-16616r2_chk

Open a browser window, type "about:config" in the address bar. Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, then this is a finding: PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.

Fix: F-15989r2_fix

Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files. Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application rather than an add-on or plugin will not be used. (PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP)

b

FireFox plug-in for ActiveX controls is installed.

Medium - V-15773 - SV-16712r1_rule

RMF Control

Severity

M

CCI

Version

DTBF120

Vuln IDs

V-15773

Rule IDs

SV-16712r1_rule

When an ActiveX control is referenced in an HTML document, MS Windows checks to see if the control already resides on the client machine. If not, the control can be downloaded from a remote web site. This provides an automated delivery method for mobile code.System AdministratorECSC-1

Checks: C-16617r1_chk

Open a browser window, type "about:plugins" in the address bar. Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.

Fix: F-15990r1_fix

Remove/uninstall the Mozilla ActiveX plugin

b

Firefox formfill assistance option is disabled.

Medium - V-15774 - SV-16713r1_rule

RMF Control

Severity

M

CCI

Version

DTBF140

Vuln IDs

V-15774

Rule IDs

SV-16713r1_rule

In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.System AdministratorECSC-1

Checks: C-16619r1_chk

Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15991r1_fix

Ensure the preference “browser.formfill.enable" is set and locked to the value of “False”.

b

Firefox is configured to autofill passwords.

Medium - V-15775 - SV-16714r1_rule

RMF Control

Severity

M

CCI

Version

DTBF150

Vuln IDs

V-15775

Rule IDs

SV-16714r1_rule

While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. System AdministratorECSC-1

Checks: C-16620r1_chk

In About:Config, verify that the preference name “signon.prefillForms“ is set to “false” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15992r1_fix

Ensure the preference " signon.prefillForms " is set and locked to the value of “False”.

b

FireFox is configured to use a password store with or without a master password.

Medium - V-15776 - SV-16715r1_rule

RMF Control

Severity

M

CCI

Version

DTBF160

Vuln IDs

V-15776

Rule IDs

SV-16715r1_rule

Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.System AdministratorECSC-1

Checks: C-16621r1_chk

Type "About:Config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15993r1_fix

Ensure the preference "“signon.rememberSignons“ is set and locked to the value of “false”.

b

Firefox does not clear cookies upon closing.

Medium - V-15777 - SV-16716r1_rule

RMF Control

Severity

M

CCI

Version

DTBF170

Vuln IDs

V-15777

Rule IDs

SV-16716r1_rule

Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session.System AdministratorECSC-1

Checks: C-16622r1_chk

Type "about:config" in the address bar of the browser. Verify that the preference “privacy.sanitize.sanitizeOnShutdown" is set to “true”. Also “privacy.sanitize.promptOnSanitize” must be set to “false” to prevent users from circumventing the deleting of cookies. Both settings must also be locked to prevent user changes. Criteria: If the parameter for either of the two sanitize preferences is set incorrectly, then this is a finding. If the settings are not locked, then this is a finding.

Fix: F-15994r1_fix

Ensure the preference "privacy.sanitize.sanitizeOnShutdown" is set and locked to the value of “true”. Also ensure the preference “privacy.sanitize.promptOnSanitize” is set and locked to “false”

b

FireFox is not configured to block pop-up windows.

Medium - V-15778 - SV-16717r1_rule

RMF Control

Severity

M

CCI

Version

DTBF180

Vuln IDs

V-15778

Rule IDs

SV-16717r1_rule

Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.System AdministratorECSC-1

Checks: C-16623r1_chk

In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15995r1_fix

Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.

b

FireFox is configured to allow JavaScript to move or resize windows.

Medium - V-15779 - SV-16718r1_rule

RMF Control

Severity

M

CCI

Version

DTBF181

Vuln IDs

V-15779

Rule IDs

SV-16718r1_rule

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. System AdministratorECSC-1

Checks: C-16624r1_chk

In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15996r1_fix

Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.

b

The Firefox SSLV2 parameter is configured to allow use of SSL 3.0.

Medium - V-15982 - SV-16924r3_rule

RMF Control

Severity

M

CCI

Version

DTBF010

Vuln IDs

V-15982

Rule IDs

SV-16924r3_rule

Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs. System AdministratorECSC-1

Checks: C-16609r2_chk

Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl3" and verify the value is set to "false". Criteria: If the parameter is set incorrectly, then this is a finding. If the value is not locked this is a finding.

Fix: F-15983r3_fix

Set the preference "security.enable_ssl3" is set to "false" and lock using the Mozilla.cfg file.

b

Firefox is not configured to allow use of TLS 1.0.

Medium - V-15983 - SV-16925r1_rule

RMF Control

Severity

M

CCI

Version

DTBF030

Vuln IDs

V-15983

Rule IDs

SV-16925r1_rule

DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD.System AdministratorECSC-1

Checks: C-16610r1_chk

Open a browser window, type "about:config" in the address bar. Verify Preference Name "security.enable_tls" is set to the value "true" and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15984r1_fix

Ensure the preference value of "security.enable_tls" is set to "true" and locked.

b

Firefox is configured to allow JavaScript to raise or lower windows.

Medium - V-15985 - SV-16927r1_rule

RMF Control

Severity

M

CCI

Version

DTBF182

Vuln IDs

V-15985

Rule IDs

SV-16927r1_rule

JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript. System AdministratorECSC-1

Checks: C-16625r1_chk

In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15997r1_fix

Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.

b

Firefox is configured to allow JavaScript to disable or replace context menus.

Medium - V-15986 - SV-16928r1_rule

RMF Control

Severity

M

CCI

Version

DTBF183

Vuln IDs

V-15986

Rule IDs

SV-16928r1_rule

A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.System AdministratorECSC-1

Checks: C-16626r3_chk

Type "about:config" in the address bar of the browser. Verify that the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true". Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15998r3_fix

Ensure the preferences “dom.event.contextmenu.enabled" is set and locked to “false”, "dom.disable_window_move_resize" is set and locked to "true", and "dom.disable_window_flip" is set and locked to "true".

b

Firefox is configured to allow JavaScript to hide or change the status bar.

Medium - V-15987 - SV-16929r1_rule

RMF Control

Severity

M

CCI

Version

DTBF184

Vuln IDs

V-15987

Rule IDs

SV-16929r1_rule

When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. Determines whether the text in the browser status bar may be set by JavaScript. Set and lock to True (default in Firefox) so that JavaScript access to preference settings for is disabled.System AdministratorECSC-1

Checks: C-16627r1_chk

Type "about:config" in the address bar of the browser. Verify that the preference “dom.disable_window_status_change" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-15999r1_fix

Ensure the preference "dom.disable_window_status_change" is set and locked to the value of “true”.

b

Firefox is configured to allow JavaScript to change the status bar text.

Medium - V-15988 - SV-16930r1_rule

RMF Control

Severity

M

CCI

Version

DTBF185

Vuln IDs

V-15988

Rule IDs

SV-16930r1_rule

JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. Setting these preferences to true will override the author's settings and ensure that the feature is enabled and present in any popup window. This setting prevents the status bar from being hidden.System AdministratorECSC-1

Checks: C-16628r1_chk

In About:Config, verify that the preference “dom.disable_window_open_feature.status" is set and locked to “true”. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-16000r1_fix

Ensure the preference "dom.disable_window_open_feature.status" is set and locked to the value of “true”.

b

Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page.

Medium - V-15989 - SV-16931r1_rule

RMF Control

Severity

M

CCI

Version

DTBF130

Vuln IDs

V-15989

Rule IDs

SV-16931r1_rule

Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. System AdministratorECSC-1

Checks: C-16629r1_chk

Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-16003r1_fix

Ensure the preference “security.warn_leaving_secure" is set to “true” and locked on this setting.

b

The Firefox browser home page is not set to blank or a trusted site.

Medium - V-15990 - SV-16932r1_rule

RMF Control

Severity

M

CCI

Version

DTBF017

Vuln IDs

V-15990

Rule IDs

SV-16932r1_rule

The browser home page parameter specifies the web page that is to be displayed when the browser is started explicitly and when product-specific buttons or key sequences for the home page are accessed. This helps to mitigate the possibility of automatic inadvertent execution of script added to a previously safe site.System AdministratorECSC-1

Checks: C-24153r1_chk

Type "about:config" in the address bar of the browser. Verify that the preference "browser.startup.homepage" is set and locked to blank or an authorized and trusted website such as "https://www.us.army.mil/suite/page/429668" Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-20405r1_fix

Ensure the preference "browser.startup.homepage" is set and locked to blank or the URL for a .mil or other trusted website.

c

Installed version of Firefox unsupported.

High - V-17988 - SV-19509r1_rule

RMF Control

Severity

H

CCI

Version

DTBF003

Vuln IDs

V-17988

Rule IDs

SV-19509r1_rule

Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. System AdministratorDCMC-1

Checks: C-20617r1_chk

Method 1: View the following registry key: HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint. Criteria: If the version number of the firefox.exe file is less than 3.x.x, then this is a Finding.

Fix: F-18550r1_fix

Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.

b

Firefox application is set to auto-update.

Medium - V-19741 - SV-21887r1_rule

RMF Control

Severity

M

CCI

Version

DTBF080

Vuln IDs

V-19741

Rule IDs

SV-21887r1_rule

Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. System AdministratorECSC-1

Checks: C-24187r2_chk

Type "about:config" in the browser window. Verify that 1. The preference name "app.update.enabled" is set to 'false' and locked or 2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org). Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.

Fix: F-20414r3_fix

Ensure the preference "app.update.enable" is set and locked to the value of “False” or that a trusted server is used.

b

Firefox automatically updates installed add-ons and plugins.

Medium - V-19742 - SV-59603r1_rule

RMF Control

Severity

M

CCI

Version

DTBF090

Vuln IDs

V-19742

Rule IDs

SV-59603r1_rule

Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.System AdministratorECSC-1

Checks: C-24188r1_chk

Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.

Fix: F-20415r2_fix

Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.

b

Firefox required security preferences cannot be changed by user.

Medium - V-19743 - SV-21889r4_rule

RMF Control

Severity

M

CCI

Version

DTBF070

Vuln IDs

V-19743

Rule IDs

SV-21889r4_rule

Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.jsSystem AdministratorECSC-1

Checks: C-24189r5_chk

Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings. For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi Sample file: // lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668"); lockPref("browser.download.dir", "N:"); lockPref("browser.download.downloadDir", "N:"); lockPref("app.update.enabled", false); lockPref("extensions.update.enabled", false); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.search.update", false); lockPref("browser.formfill.enable", false); lockPref("signon.prefillForms", false); lockPref("dom.disable_open_during_load", true); lockPref("dom.disable_window_move_resize", true); lockPref("dom.event.contextmenu.enabled", false); lockPref("dom.disable_window_status_change", true); lockPref("dom.disable_window_flip", true); lockPref("dom.disable_window_open_feature.status", true); lockPref("security.warn_leaving_secure", true); lockPref("privacy.sanitize.promptOnSanitize", false); lockPref("privacy.sanitize.sanitizeOnShutdown", true); lockPref("security.default_personal_cert", "Ask Every Time"); lockPref("signon.rememberSignons", false); lockPref("xpinstall.whitelist.required", true); lockPref(“network.protocol-handler.external.shell”,false); lockPref(“security.enable_ssl3”,true); lockPref(“security.enable_ssl2”,false); lockPref(“security.enable_tls”,true); lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); lockPref("privacy.item.history", false) Note: Append line into local-settings.js file to include in the Mozilla config file

Fix: F-22495r5_fix

Ensure the required settings In "About:config" are locked using the Mozilla.cfg file.

b

Firefox automatically checks for updated version of installed Search plugins.

Medium - V-19744 - SV-21890r1_rule

RMF Control

Severity

M

CCI

Version

DTBF085

Vuln IDs

V-19744

Rule IDs

SV-21890r1_rule

Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.System AdministratorECSC-1

Checks: C-24190r1_chk

Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked. Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.

Fix: F-20416r2_fix

Ensure the preference "browser.search.update" is set and locked to the value of “False”.

Checks: C-16602r1_chk

Fix: F-5841r1_fix

Generate Mitigation Statement:

Checks: C-16453r5_chk

Fix: F-15956r4_fix

Generate Mitigation Statement:

Checks: C-16611r1_chk

Fix: F-15985r1_fix

Generate Mitigation Statement:

Checks: C-16614r1_chk

Fix: F-15987r1_fix

Generate Mitigation Statement:

Checks: C-16615r2_chk

Fix: F-15988r3_fix

Generate Mitigation Statement:

Checks: C-16616r2_chk

Fix: F-15989r2_fix

Generate Mitigation Statement:

Checks: C-16617r1_chk

Fix: F-15990r1_fix

Generate Mitigation Statement:

Checks: C-16619r1_chk

Fix: F-15991r1_fix

Generate Mitigation Statement:

Checks: C-16620r1_chk

Fix: F-15992r1_fix

Generate Mitigation Statement:

Checks: C-16621r1_chk

Fix: F-15993r1_fix

Generate Mitigation Statement:

Checks: C-16622r1_chk

Fix: F-15994r1_fix

Generate Mitigation Statement:

Checks: C-16623r1_chk

Fix: F-15995r1_fix

Generate Mitigation Statement:

Checks: C-16624r1_chk

Fix: F-15996r1_fix

Generate Mitigation Statement:

Checks: C-16609r2_chk

Fix: F-15983r3_fix

Generate Mitigation Statement:

Checks: C-16610r1_chk

Fix: F-15984r1_fix

Generate Mitigation Statement:

Checks: C-16625r1_chk

Fix: F-15997r1_fix

Generate Mitigation Statement:

Checks: C-16626r3_chk

Fix: F-15998r3_fix

Generate Mitigation Statement:

Checks: C-16627r1_chk

Fix: F-15999r1_fix

Generate Mitigation Statement:

Checks: C-16628r1_chk

Fix: F-16000r1_fix

Generate Mitigation Statement:

Checks: C-16629r1_chk

Fix: F-16003r1_fix

Generate Mitigation Statement:

Checks: C-24153r1_chk

Fix: F-20405r1_fix

Generate Mitigation Statement:

Checks: C-20617r1_chk

Fix: F-18550r1_fix

Generate Mitigation Statement:

Checks: C-24187r2_chk

Fix: F-20414r3_fix

Generate Mitigation Statement:

Checks: C-24188r1_chk

Fix: F-20415r2_fix

Generate Mitigation Statement:

Checks: C-24189r5_chk

Fix: F-22495r5_fix

Generate Mitigation Statement:

Checks: C-24190r1_chk

Fix: F-20416r2_fix

Generate Mitigation Statement: