Open Bug 1765965 Opened 2 years ago Updated 2 years ago

Firefox installer can be installed bypassing restricted controls set in domain policies on Windows

Categories

(Firefox :: Installer, defect, P3)

Product:
Firefox
Component:
Installer
Version:
Firefox 99
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: chuck.tsang, Unassigned)

Details

Attachments

(1 file)

CT firefox install log.log
24.64 KB, text/plain
Details

Steps to reproduce:

On a account which does not have access to install softwasre:

  1. Download Mozilla firefox installer from: https://www.mozilla.org/en-GB/firefox/browsers/

  2. Once downloaded, click to install and wait for dialog box requesting elevated account to install. Click “no” or “Cancel”

  3. Wait and the install continues.

  4. Open firefox browser

Actual results:

A user who should not be able to install application on windows was able to install and start using Firefox browser.

Expected results:

Installed should have stopped and not be installed. I have attached install log if that helps

Attachment #9273418 - Attachment mime type: text/x-log → text/plain
Component: Untriaged → Installer

As far as I know, there is no way to prevent installing apps into the user profile. This is a limitation of Windows.

The user has access to their own directory, so they can install things there.

You would have to add a corporate policy preventing running things from that directory.

I know someone asked if we could create a policy that prevented the installer from installing to the local user directory if it was set. That's about the only thing we could do.

(In reply to Mike Kaply [:mkaply] from comment #1)

I know someone asked if we could create a policy that prevented the installer from installing to the local user directory if it was set. That's about the only thing we could do.

How would this work? We'd add support in the installer for checking for some group policy?

Even if the installer was unable to run, folks could run a zip build if they were that intent (unless there was also restrictions to prevent those from being opened -- but that would be entirely out of our control, I think).

(In reply to bhearsum@mozilla.com (:bhearsum) from comment #2)

(In reply to Mike Kaply [:mkaply] from comment #1)

I know someone asked if we could create a policy that prevented the installer from installing to the local user directory if it was set. That's about the only thing we could do.

How would this work? We'd add support in the installer for checking for some group policy?

Yep, just checking a registry entry.

Even if the installer was unable to run, folks could run a zip build if they were that intent (unless there was also restrictions to prevent those from being opened -- but that would be entirely out of our control, I think).

In theory we could use policy to not even allow Firefox to run if it is in user space on the disk.

I really want to do more research, though, to see if other products try this hard to prevent it.

Severity: -- → S3
Priority: -- → P3

I don't think this needs to be security sensitive - Mike, is that right?

Flags: needinfo?(mozilla)

No, I don't think it does. This is a known thing.

Flags: needinfo?(mozilla)
Group: firefox-core-security

See https://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

This setting affects Windows Installer [that is, msiexe.exe] only. It does not prevent users from using other methods to install and upgrade programs.

Adding the Qa-not-actionable tag.

QA Whiteboard: [qa-not-actionable]

Side note, I'm pretty sure Chrome has this same issue.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: