Last Comment Bug 266533 - Support a Firefox "protected mode" (or work with Windows Vista protected mode)
: Support a Firefox "protected mode" (or work with Windows Vista protected mode)
Status: RESOLVED DUPLICATE of bug 925570
[sg:want]
: sec-want
Product: Toolkit
Classification: Components
Component: Startup and Profile System (show other bugs)
: Trunk
: x86 Windows Vista
: -- enhancement with 39 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 325685 536731 557734 (view as bug list)
Depends on:
Blocks: 352420
  Show dependency treegraph
 
Reported: 2004-10-28 13:36 PDT by John M
Modified: 2014-06-09 23:56 PDT (History)
45 users (show)
reed: wanted1.9+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description John M 2004-10-28 13:36:06 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1

Restricted mode is an extra-security feature for programs running under Windows
XP that prevents them from doing some activities that are considered harmful.
E.g., adding items to the Desktop, or, according to
http://blogs.msdn.com/aaron_margosis/archive/2004/09/10/227727.aspx (the blog of
a Microsoft employee), accessing the user's profile at all.

Firefox refuses to start in this mode. No error message appears, it just dies
immediately. If you uncheck the "Protect my computer..." checkbox, Firefox
starts normally.

Reproducible: Always
Steps to Reproduce:

To recreate (must use Win XP - I'm using SP2),
1. Right click a shortcut for Firefox. On the Shortcut tab, press the Advanced
button and select the checkbox, "Run with different credentials".
2. Double-click the shortcut.
3. Click "OK" in the RunAs dialog.
As an alternative, can right-click the shortcut, choose Run As, and click OK
(the checkbox is checked by default).
Actual Results:  
Firefox does not start. It disappears from memory immediately. I coulnd't even
see it in the task list.

Expected Results:  
It should have started. It works fine when you uncheck the "Protect my
computer..." checkbox.

I've got most of the security settings dialed up. E.g., Data Execution
Prevention, not running as an administrator, etc.
Comment 1 John M 2004-10-28 14:22:50 PDT
I think Startup and Profile System is a better Component for this bug. This is 
somewhat similar to 245583, but here Firefox doesn't start (the other one deals 
with the wrong profile).
Comment 2 Mike Connor [:mconnor] 2004-10-28 14:31:26 PDT
Well, you kinda nailed it.  Unlike IE, we don't store settings in the registry,
we store them in the user profile.  Which is why its not going anywhere.

If you also specify another location for the firefox profile (-profile "C:\foo")
then that might work.
Comment 3 Dave Methvin 2004-11-17 08:59:43 PST
Perhaps Firefox could load a set of default values if it can't open the 
profile? "Protect my computer..." is a very nice feature, it would be great to 
have Firefox work with it.
Comment 4 Stewart 2005-06-26 09:54:19 PDT
When someone is running in this protected mode, it's possibly (likely) because
they're going to access a website(s) that they feel may be dangerous to their
system. I agree with the above comment but would like to expand on it; what
about opening Mozilla in a kiosk-like mode with a default set of values that are
reasonable; ie; no bookmarks, history, stored cookies (memory-only would be
acceptable, if not neccesary), cache, etc.

Maybe even bring up a dialog that informs users that it can't find/access the
profile, nor can it create one, so it's running in fail-safe mode. This would
also come in handy for those times when the profile becomes inaccessable for a
variety of other reasons.
Comment 5 Gervase Markham [:gerv] 2005-09-27 01:46:47 PDT
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
Comment 6 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2005-09-27 09:07:14 PDT
Let's make this the "protected-mode Firefox" bug.
Comment 7 Brian 'netdragon' Bober 2006-03-08 06:35:05 PST
Re comment #4. Let's move away from dialog boxes, and show a different home page with a warning instead.
Comment 8 Ian Macfarlane 2006-08-24 02:14:00 PDT
On Vista Firefox should obviously use Vista protected mode, but on other versions of Windows, you can use something called DropMyRights (see http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp) to reduce your level of privilege.

There are issues with updating in reduce-rights mode, see bug 303595.
Comment 9 Doug Turner (:dougt) 2006-09-19 16:08:21 PDT
Good read on what ie7 does on vista:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

Not sure how much we have to do immediately on FF since UAC blocks most (if not all) writes to protected areas even while admin.
Comment 10 Rob Roy 2006-12-28 08:48:04 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

It should be noted that the program DropMyRights also causes the program (FF 2.0)to fail with the following command switch:

U (Untrusted) gives the following error: "The application failed to initialize properly (0xc0000142)...

The the denied SIDs are found on table 4 here:
<url>http://msdn2.microsoft.com/en-us/library/ms972827.aspx</url>


Comment 11 gabe 2007-03-30 13:33:34 PDT
http://www.microsoft.com/technet/security/advisory/935423.mspx

shows how protected mode in ie renders a dangerous bug almost completly harmless it still can crash browser but cant infect computer
Comment 12 gabe 2007-04-04 13:18:34 PDT
http://www.arnnet.com.au/index.php/id;681455218;fp;4;fpid;1382389953
Firefox vulnerable to same bug as ie cept Firefox is more dangoures on vista then ie for the curser exploit
Comment 13 Daniel Ovsiannikov 2007-05-23 07:54:24 PDT
I already tried setting Low Mandatory Label to firefox.exe and it mostly works but still has some issues: 
1. The warning if I want to launch the executable (firefox.exe);
2. Interop with other apps is broken: other apps try to launch another instance of Fx instead of passing arguments to already running one; most apps launched from Fx (Download Managers, editors, etc..) sometimes fail to work as they inherit Low Integrity mode. 
Comment 14 Marco Bonardo [::mak] (Away 6-20 Aug) 2007-07-05 09:34:03 PDT
*** Bug 325685 has been marked as a duplicate of this bug. ***
Comment 15 Jesse Ruderman 2007-07-07 15:09:53 PDT
See also bug 387248, similar bug for Mac OS 10.5 (Leopard).
Comment 16 Ian Macfarlane 2008-12-15 01:44:24 PST
With regards to Comment 10, I've been using Firefox with DropMyRights (set to the next level of security up only, not the most secure mode) for over a year, with both Firefox 2 and 3, and I've had no real problems.

The only issue I can think of is launching .exe files where you need a greater level of privileges to install them, but that's rare (and I think only due to badly written programs).
Comment 17 Ian Macfarlane 2008-12-18 01:36:39 PST
Sorry, to clarify Comment 16 - I've been running Firefox as a "normal user" when using an administrator account (as many people will be). This is a pretty quick win to implement I would have thought (as Firefox should definitely run in "normal user" accounts).

Working with lower levels of priviliges is more problematic - when trying to run as a "constrained user" the firefox.exe process doesn't appear to even appear in the Windows task manager and running as an "untrusted user" causes a windows Application Error message saying it failed to initialize properly.

(sorry for bug spam, I didn't think my previous comment was clear enough)
Comment 18 Andrew Hagen 2009-03-21 10:54:34 PDT
I don't think Microsoft has a published an API for just any program to use "Protected Mode." I believe Microsoft's "Protected Mode" is intended to only apply to IE7 and IE8. 

What we could do is roll our own solution.
Comment 19 Jim Mathies [:jimm] 2009-03-21 11:51:32 PDT
(In reply to comment #18)
> I don't think Microsoft has a published an API for just any program to use
> "Protected Mode." I believe Microsoft's "Protected Mode" is intended to only
> apply to IE7 and IE8. 
> 
> What we could do is roll our own solution.

It's based on running at a lower integrity level. Firefox, with a few minor tweaks can execute in this type of environment but a lot of stuff doesn't work right.

Future work on this is waiting on process-per-tab.
Comment 20 Brendan Eich [:brendan] 2009-03-21 14:18:09 PDT
(In reply to comment #19)
> (In reply to comment #18)
> Future work on this is waiting on process-per-tab.

Which bug is that? The process-per-tab name is inaccurate, since we can't afford 300+ processes (neither can Chrome or IE). Process isolation is a better term but not great Suggestions welcome, mainly I'm concerned about setting false or naive expectations. Chrome uses processes to protect your OS including local filesystem from web content. It does not process-isolate each origin from every other.

/be
Comment 21 Jim Mathies [:jimm] 2009-03-21 14:38:54 PDT
(In reply to comment #20)
> (In reply to comment #19)
> > (In reply to comment #18)
> > Future work on this is waiting on process-per-tab.
> 
> Which bug is that? The process-per-tab name is inaccurate, since we can't
> afford 300+ processes (neither can Chrome or IE). Process isolation is a better
> term but not great Suggestions welcome, mainly I'm concerned about setting
> false or naive expectations. Chrome uses processes to protect your OS including
> local filesystem from web content. It does not process-isolate each origin from
> every other.
> 
> /be

Bug 452272. The exact details of what is to be implemented really haven't been discussed heavily yet.
Comment 22 Brian Carpenter [:geeknik] 2009-03-21 15:16:41 PDT
Just an FYI, but Chrome doesn't assign a new process to a tab unless that tab is actually doing something, like displaying a web page. So saying that every tab has it's own process, is not 100% true. To prove this, you can go and open up Chrome 2.0.170.0 right now with 300 tabs and there will only be 2 processes shown in Vista's task manager. Now when you start loading up those tabs with websites, you'll start seeing new processes spawned in task manager.
Comment 23 Andrew Hagen 2009-03-21 16:13:53 PDT
I see two ways to go. We could follow IE and run everything in a lower-trust level "protected mode." That's what this bug report proposes. On the other hand, we could use sandboxing. That seems to be the more modern technique. It is used by Webkit browsers like Chrome. Microsoft's proposed "Gazelle" browser would also use sandboxing.
Comment 24 Mike Shaver (:shaver -- probably not reading bugmail closely) 2009-03-21 16:16:07 PDT
A sandbox that doesn't run at reduced privileges is pointless, afaict, and IE doesn't run everything in a lower-trust protected mode.  If it did, it would be very hard to save files, use the clipboard, or drag and drop.

Are there WebKit browsers other than Chrome that have sandbox implementations?
Comment 25 Andrew Hagen 2009-04-17 14:47:09 PDT
As mentioned above by other commenters, what we can do for Windows Vista (as well as Windows 7, Windows Server 2008, etc) is run certain processes at different integrity levels. 

Here is a PDF from Symantec that details the integrity levels, and some other links. 

http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf

http://www.securityfocus.com/infocus/1887/1

http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx

http://msdn.microsoft.com/en-us/library/bb625963.aspx

Every process is assigned an integrity level by the OS. 

"High" integrity allows write access into program folders. The parts of the installer that need to write to those folders can use this integrity level. 

"Medium" integrity allows write access into user-specific folders. The parts of Firefox that write data to cache or to preferences can use this integrity level. 

"Low integrity" allows write access into only the "low" subfolder of Temporary Internet Files", etc, and into limited registry keys. Most of Firefox could run in this integrity level. In doing so, we will have confined any exploits that might stem from one of these processes to this integrity level. 

The Symantec article says, "A process cannot interact with another process that has a higher integrity level." This means we would need inter-process communication between processes as appropriate. 

We could use one process as the sandbox gatekeeper, so to speak. When Firefox starts, we could launch a medium-integrity process that launches other prcoesses (such as Gecko), usually at low integrity. A medium integrity process can launch a low integrity process, but not the other way around. The gatekeeper would always be running, and thus keeping it small would be prudent.

If it were possible, maybe we could start a low integrity process that had access to the user's Firefox cache folder, for example. We could then also limit the cache process to a low-integrity process. 

(After some research, "sandboxing"  refers to a variety of different techniques, rather than a specific one. IE's "Protected Mode" involves various techniques, including using integrity levels.)
Comment 26 Jo Hermans 2009-12-25 09:19:01 PST
*** Bug 536731 has been marked as a duplicate of this bug. ***
Comment 27 Henrik Skupin (:whimboo) 2009-12-26 02:47:39 PST
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>              Flag|blocking1.9-                |

Ruben, please stop removing flags like that one above. It's not in your scope. Thanks.
Comment 28 ruben.nesvadba 2009-12-26 13:12:43 PST
(In reply to comment #27)
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >              Flag|blocking1.9-                |
> Ruben, please stop removing flags like that one above. It's not in your scope.
> Thanks.

Ok, sorry, won't do it again.
Comment 29 ruben.nesvadba 2010-02-04 05:39:43 PST
Any new developments on this bug?
Comment 30 julien.t43+mozilla 2010-03-24 13:37:12 PDT
interesting link on how to implement low integrity level quickly on firefox

Internet Explorer 7 Protected-mode vs Firefox (2008)
http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html
Comment 31 Jo Hermans 2010-04-07 04:15:07 PDT
*** Bug 557734 has been marked as a duplicate of this bug. ***
Comment 32 Marco Castelluccio [:marco] 2011-12-27 16:05:52 PST
We should rename this bug to "Implement a sandbox for Firefox", or something like this.
Comment 33 Ian Melven :imelven 2012-04-18 19:23:37 PDT
See https://wiki.mozilla.org/Features/Security/Low_rights_Firefox

bug 730956 may be a dupe of this
Comment 34 Joseph D. Wagner 2014-06-09 17:00:51 PDT
We're coming up on 10 years for this security feature request.  IE and Chrome implement it.  Any updates on Firefox implementing it?
Comment 35 Jim Mathies [:jimm] 2014-06-09 23:56:19 PDT

*** This bug has been marked as a duplicate of bug 925570 ***

Note You need to log in before you can comment on or make changes to this bug.