How to make Firefox Quantum compatible to Windows low integrity level mode? [very effectice way to prevent malware]


(mario7712) #1

Hi,

in pre Quantum versions (i.e. FF52 ESR), you could make your Firefox safe against malware with a simple trick. It was little known but very effective because it uses Windows tools to limit Firefox abilities to write or modify files. One can use the Windows program icacls to limit write access to a selected set of subfolders. Here is how it worked:

icacls "C:\Program Files\Mozilla Firefox\firefox.exe" /setintegritylevel low
icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Temp" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Mozilla\updates" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Roaming\Mozilla\Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\Local\Mozilla\Firefox" /setintegritylevel (oi)(ci)low
icacls "C:\Users\[...]\AppData\LocalLow\Mozilla" /setintegritylevel (oi)(ci)low
icacls "[...]\Downloads" /setintegritylevel (oi)(ci)low
icacls "[...]\Firefox Profile" /setintegritylevel (oi)(ci)low

Then I updated to Quantum (i.e. FF60) and now this seems to not work anymore. After I secured Firefox in this way and started Firefox, Firefox then doesn’t show any websites (just grey area), no popups etc. The whole Firefox UI seems to be broken.

Does anyone know how to fix this? For example, are there additional folders I need to give access to? Or is this not possible in post Quantum Firefox because of this new process architecture etc.?

Sorry for posting this here, I tried support.mozilla.org/, but there no one had the level of understanding to understand my question. I hope that here I can meet some taltented people which whom I can discuss this quite technical question.

It’s also intersting for the developers. If for example a change in the Firefox architecture prevents that technique from working at all, one could maybe change the architecture a little bit to make it work again. Because low integrity level mode is a very simple but effectice way to make a web browser more secure. Internet Explorer uses this by default. And I think it should be of high interest to be at least as good as Internet Explorer in terms of support for security features :slight_smile:


(mario7712) #2

Just found this: https://bugzilla.mozilla.org/show_bug.cgi?id=1433065

Sounds very related. But it has the status “VERIFIED FIXED”, however, it still doesn’t work for me…


(jscher2000) #3

Firefox 61 has this in about:config

security.sandbox.content.level = 5

The meaning of the different levels is in this article:

https://wiki.mozilla.org/Security/Sandbox#Windows

That is for content processes; the browser process itself still runs with higher privileges.