Closed Bug 266533 Opened 20 years ago Closed 10 years ago

Support a Firefox "protected mode" (or work with Windows Vista protected mode)

Categories

(Toolkit :: Startup and Profile System, enhancement)

x86
Windows Vista
enhancement
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 925570

People

(Reporter: john_mcdonnell, Unassigned)

References

Details

(Keywords: sec-want, Whiteboard: [sg:want])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1

Restricted mode is an extra-security feature for programs running under Windows
XP that prevents them from doing some activities that are considered harmful.
E.g., adding items to the Desktop, or, according to
http://blogs.msdn.com/aaron_margosis/archive/2004/09/10/227727.aspx (the blog of
a Microsoft employee), accessing the user's profile at all.

Firefox refuses to start in this mode. No error message appears, it just dies
immediately. If you uncheck the "Protect my computer..." checkbox, Firefox
starts normally.

Reproducible: Always
Steps to Reproduce:

To recreate (must use Win XP - I'm using SP2),
1. Right click a shortcut for Firefox. On the Shortcut tab, press the Advanced
button and select the checkbox, "Run with different credentials".
2. Double-click the shortcut.
3. Click "OK" in the RunAs dialog.
As an alternative, can right-click the shortcut, choose Run As, and click OK
(the checkbox is checked by default).
Actual Results:  
Firefox does not start. It disappears from memory immediately. I coulnd't even
see it in the task list.

Expected Results:  
It should have started. It works fine when you uncheck the "Protect my
computer..." checkbox.

I've got most of the security settings dialed up. E.g., Data Execution
Prevention, not running as an administrator, etc.
I think Startup and Profile System is a better Component for this bug. This is 
somewhat similar to 245583, but here Firefox doesn't start (the other one deals 
with the wrong profile).
Component: OS Integration → Startup and Profile System
Well, you kinda nailed it.  Unlike IE, we don't store settings in the registry,
we store them in the user profile.  Which is why its not going anywhere.

If you also specify another location for the firefox profile (-profile "C:\foo")
then that might work.
Component: Startup and Profile System → OS Integration
Assignee: bugs → bsmedberg
Component: OS Integration → Startup and Profile System
QA Contact: firefox.os-integration → bsmedberg
Assignee: bsmedberg → nobody
Severity: normal → enhancement
Perhaps Firefox could load a set of default values if it can't open the 
profile? "Protect my computer..." is a very nice feature, it would be great to 
have Firefox work with it.
When someone is running in this protected mode, it's possibly (likely) because
they're going to access a website(s) that they feel may be dangerous to their
system. I agree with the above comment but would like to expand on it; what
about opening Mozilla in a kiosk-like mode with a default set of values that are
reasonable; ie; no bookmarks, history, stored cookies (memory-only would be
acceptable, if not neccesary), cache, etc.

Maybe even bring up a dialog that informs users that it can't find/access the
profile, nor can it create one, so it's running in fail-safe mode. This would
also come in handy for those times when the profile becomes inaccessable for a
variety of other reasons.
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
Let's make this the "protected-mode Firefox" bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Failure to start when using Run As command and "Protect my computer and data from unauthorized program activity" checkbox → Support a Firefox "protected mode" (or work with Windows protected mode)
Re comment #4. Let's move away from dialog boxes, and show a different home page with a warning instead.
On Vista Firefox should obviously use Vista protected mode, but on other versions of Windows, you can use something called DropMyRights (see http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp) to reduce your level of privilege.

There are issues with updating in reduce-rights mode, see bug 303595.
Blocks: 352420
Good read on what ie7 does on vista:

http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

Not sure how much we have to do immediately on FF since UAC blocks most (if not all) writes to protected areas even while admin.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

It should be noted that the program DropMyRights also causes the program (FF 2.0)to fail with the following command switch:

U (Untrusted) gives the following error: "The application failed to initialize properly (0xc0000142)...

The the denied SIDs are found on table 4 here:
<url>http://msdn2.microsoft.com/en-us/library/ms972827.aspx</url>


QA Contact: benjamin → startup
http://www.microsoft.com/technet/security/advisory/935423.mspx

shows how protected mode in ie renders a dangerous bug almost completly harmless it still can crash browser but cant infect computer
http://www.arnnet.com.au/index.php/id;681455218;fp;4;fpid;1382389953
Firefox vulnerable to same bug as ie cept Firefox is more dangoures on vista then ie for the curser exploit
I already tried setting Low Mandatory Label to firefox.exe and it mostly works but still has some issues: 
1. The warning if I want to launch the executable (firefox.exe);
2. Interop with other apps is broken: other apps try to launch another instance of Fx instead of passing arguments to already running one; most apps launched from Fx (Download Managers, editors, etc..) sometimes fail to work as they inherit Low Integrity mode. 
Flags: blocking-firefox3?
Summary: Support a Firefox "protected mode" (or work with Windows protected mode) → Support a Firefox "protected mode" (or work with Windows Vista protected mode)
See also bug 387248, similar bug for Mac OS 10.5 (Leopard).
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [wanted-firefox3]
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
Version: unspecified → Trunk
Depends on: 396196
Assignee: nobody → jmathies
OS: Windows XP → Windows Vista
Product: Firefox → Toolkit
No longer depends on: 396196
Depends on: 452272
With regards to Comment 10, I've been using Firefox with DropMyRights (set to the next level of security up only, not the most secure mode) for over a year, with both Firefox 2 and 3, and I've had no real problems.

The only issue I can think of is launching .exe files where you need a greater level of privileges to install them, but that's rare (and I think only due to badly written programs).
Sorry, to clarify Comment 16 - I've been running Firefox as a "normal user" when using an administrator account (as many people will be). This is a pretty quick win to implement I would have thought (as Firefox should definitely run in "normal user" accounts).

Working with lower levels of priviliges is more problematic - when trying to run as a "constrained user" the firefox.exe process doesn't appear to even appear in the Windows task manager and running as an "untrusted user" causes a windows Application Error message saying it failed to initialize properly.

(sorry for bug spam, I didn't think my previous comment was clear enough)
I don't think Microsoft has a published an API for just any program to use "Protected Mode." I believe Microsoft's "Protected Mode" is intended to only apply to IE7 and IE8. 

What we could do is roll our own solution.
(In reply to comment #18)
> I don't think Microsoft has a published an API for just any program to use
> "Protected Mode." I believe Microsoft's "Protected Mode" is intended to only
> apply to IE7 and IE8. 
> 
> What we could do is roll our own solution.

It's based on running at a lower integrity level. Firefox, with a few minor tweaks can execute in this type of environment but a lot of stuff doesn't work right.

Future work on this is waiting on process-per-tab.
(In reply to comment #19)
> (In reply to comment #18)
> Future work on this is waiting on process-per-tab.

Which bug is that? The process-per-tab name is inaccurate, since we can't afford 300+ processes (neither can Chrome or IE). Process isolation is a better term but not great Suggestions welcome, mainly I'm concerned about setting false or naive expectations. Chrome uses processes to protect your OS including local filesystem from web content. It does not process-isolate each origin from every other.

/be
(In reply to comment #20)
> (In reply to comment #19)
> > (In reply to comment #18)
> > Future work on this is waiting on process-per-tab.
> 
> Which bug is that? The process-per-tab name is inaccurate, since we can't
> afford 300+ processes (neither can Chrome or IE). Process isolation is a better
> term but not great Suggestions welcome, mainly I'm concerned about setting
> false or naive expectations. Chrome uses processes to protect your OS including
> local filesystem from web content. It does not process-isolate each origin from
> every other.
> 
> /be

Bug 452272. The exact details of what is to be implemented really haven't been discussed heavily yet.
Just an FYI, but Chrome doesn't assign a new process to a tab unless that tab is actually doing something, like displaying a web page. So saying that every tab has it's own process, is not 100% true. To prove this, you can go and open up Chrome 2.0.170.0 right now with 300 tabs and there will only be 2 processes shown in Vista's task manager. Now when you start loading up those tabs with websites, you'll start seeing new processes spawned in task manager.
I see two ways to go. We could follow IE and run everything in a lower-trust level "protected mode." That's what this bug report proposes. On the other hand, we could use sandboxing. That seems to be the more modern technique. It is used by Webkit browsers like Chrome. Microsoft's proposed "Gazelle" browser would also use sandboxing.
A sandbox that doesn't run at reduced privileges is pointless, afaict, and IE doesn't run everything in a lower-trust protected mode.  If it did, it would be very hard to save files, use the clipboard, or drag and drop.

Are there WebKit browsers other than Chrome that have sandbox implementations?
As mentioned above by other commenters, what we can do for Windows Vista (as well as Windows 7, Windows Server 2008, etc) is run certain processes at different integrity levels. 

Here is a PDF from Symantec that details the integrity levels, and some other links. 

http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf

http://www.securityfocus.com/infocus/1887/1

http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx

http://msdn.microsoft.com/en-us/library/bb625963.aspx

Every process is assigned an integrity level by the OS. 

"High" integrity allows write access into program folders. The parts of the installer that need to write to those folders can use this integrity level. 

"Medium" integrity allows write access into user-specific folders. The parts of Firefox that write data to cache or to preferences can use this integrity level. 

"Low integrity" allows write access into only the "low" subfolder of Temporary Internet Files", etc, and into limited registry keys. Most of Firefox could run in this integrity level. In doing so, we will have confined any exploits that might stem from one of these processes to this integrity level. 

The Symantec article says, "A process cannot interact with another process that has a higher integrity level." This means we would need inter-process communication between processes as appropriate. 

We could use one process as the sandbox gatekeeper, so to speak. When Firefox starts, we could launch a medium-integrity process that launches other prcoesses (such as Gecko), usually at low integrity. A medium integrity process can launch a low integrity process, but not the other way around. The gatekeeper would always be running, and thus keeping it small would be prudent.

If it were possible, maybe we could start a low integrity process that had access to the user's Firefox cache folder, for example. We could then also limit the cache process to a low-integrity process. 

(After some research, "sandboxing"  refers to a variety of different techniques, rather than a specific one. IE's "Protected Mode" involves various techniques, including using integrity levels.)
Assignee: jmathies → nobody
No longer depends on: 452272
Blocks: e10s
Flags: blocking1.9-
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>              Flag|blocking1.9-                |

Ruben, please stop removing flags like that one above. It's not in your scope. Thanks.
(In reply to comment #27)
> >           What    |Removed                     |Added
> > ----------------------------------------------------------------------------
> >              Flag|blocking1.9-                |
> Ruben, please stop removing flags like that one above. It's not in your scope.
> Thanks.

Ok, sorry, won't do it again.
Any new developments on this bug?
interesting link on how to implement low integrity level quickly on firefox

Internet Explorer 7 Protected-mode vs Firefox (2008)
http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html
Whiteboard: [sg:want]
We should rename this bug to "Implement a sandbox for Firefox", or something like this.
No longer blocks: e10s
Depends on: e10s
No longer depends on: e10s
We're coming up on 10 years for this security feature request.  IE and Chrome implement it.  Any updates on Firefox implementing it?
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.