Firefox 12 will be able to bypass UAC and possibly corporate security settings

Subject: General Tech | April 24, 2012 - 01:01 PM |
Tagged: UAC, security, firefox

One of the causes of the adoption of Google's Chrome browser in the workplace is that for the most part, since it installs under your user directory it can bypass the limited permissions on most business computers, letting the user install something without consulting IT.  This is a minor security concern as Chrome runs with limited permissions and is certainly not more inherently vulnerable than the old corporate standby, IE6.

According to The Inquirer Firefox will be starting to do something similar but with larger repercussions.  FireFox 12 will be whitelisted on UAC, allowing system level access to the program.  While this does mean that if they are successful users will be running up to date software and not require IT resources to upgrade FireFox every month or so, it also introduces a powerful attack vector for infections.  A silent FireFox update might not be from Mozilla and could instead be from malware online, creating a system vulnerability that the user is completely unaware of until obvious symptoms start to show, by which time it could be too late to stop the spread of an infection to the network or to clients machines.  The update is due out today, so keep a close eye on your FireFox installation for now.

 

View Full Size

"SOFTWARE DEVELOPER Mozilla will bypass Windows' user account control (UAC) to implement silent updating in its Firefox 12 web browser.

Mozilla's Firefox 12 is expected to be released today, and the outfit claims it will bypass Windows UAC in order to enable silent updating. Since Mozilla put Firefox on its rapid release schedule, it has put out new versions of the web browser every six weeks, leading some users to complain about the number of releases."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer
April 24, 2012 | 04:51 PM - Posted by Anonymous (not verified)

This is why firefox is not widely in the enterprise at all.

Most of the time its banned completely.

April 25, 2012 | 09:26 AM - Posted by cyow

I think it would have been better if you just got the option to turn it off by way of a message at setup say why they thing it should be off.

April 25, 2012 | 10:21 AM - Posted by Finedaible

Hmm, I don't think that it's very smart to white-list Firefox in UAC. I also don't see why you would need to, it works just fine. Sure, Firefox might be slightly annoying to update but it is more secure that way. Chrome's silent updates are nice but I still use Firefox just as much due to its more powerful extensions that Chrome could never have.

April 25, 2012 | 10:50 AM - Posted by Anonymous (not verified)

Sorry, but this is complete nonsense. There's no such thing as white-listing in UAC. The news on the Inquirer must have been written by a dumb intern, as Windows UAC simply does not offer any such functionality. And Firefox itself will never get system privileges.

Instead, Mozilla introduces a seperate component implemented as a Windows service, which is a pretty safe way of handling this problem. When Firefox wants to update itself, it asks the OS to start this service, and the OS executes the service with system privileges. The service then installs the update, and digital signatures prevent it from installing any other stuff like malware.

Also, this new service is obviously optional. You can disable it, and you can even uninstall it completely. If you do that, Firefox will update non-silently as it used to. And in enterprise environments, you wouldn't allow it to update itself anyway.

April 25, 2012 | 12:11 PM - Posted by Anonymous (not verified)

Thank you for clarification!

April 25, 2012 | 01:12 PM - Posted by Jeremy Hellstrom

Thanks for the clarifications, that is one of the problems with reporting on something before you can get your hands on it. Whitelist might not have been the best term to use, perhaps planned exploit of buggy UAC permissions?

Very glad to see it is optional ... I hadn't had time to try it until this morning.

April 25, 2012 | 05:01 PM - Posted by Anonymous (not verified)

Oh dear. You really need to get off that UAC horse.

The Mozilla maintenance service, as it is called, has nothing to do with UAC. It doesn't bypass or exploit UAC, it doesn't tamper with UAC, and it doesn't even care whether UAC is enabled or - remember Windows XP? - existant on your version of Windows. It simply allows you to perform Firefox updates without having admin rights, even on XP.

People just generally seem to muddle things up. For many, UAC has become synonymous with the mere concept of user privileges in a multi-user OS, probably because they never used standard user accounts, neither in Windows nor something other than Windows. Then, when they discover that some privileged operation can work without triggering a UAC prompt, they believe UAC must have somehow been bypassed or tricked.

But there is no trick, and there is no glaring security problem either. In fact, the same mechanism is used by Microsoft itself for Windows Update. If you set Windows to update automatically, it will do so in the background by running a service. Without prompting for admin privileges.

April 25, 2012 | 05:35 PM - Posted by Jeremy Hellstrom

I may well be wrong, in fact I hope I am ... I just don't think this is going to be a great idea for security in an enterprise environment.

I must admit I don't fully grasp exactly how it is that Firefox is going to write to a folder which the logged in user does not have write privileges to without it doing something dodgy with those privileges. I haven't had a chance to fully research this yet, but since it seems to be generating interest (and conversation) I think I probably should look more into it.

April 25, 2012 | 09:52 PM - Posted by Jeremy Hellstrom

Session 0 ... aha, I understand now.

April 26, 2012 | 07:08 AM - Posted by Anonymous (not verified)

Not really. Session separation is a security mechanism introduced with Vista, but it's not relevant to understanding service basics, and not relevant to this discussion. If you want to know more about services, go there: http://msdn.microsoft.com/en-us/library/ms685141%28v=vs.85%29.aspx

During a background update, Firefox does NOT write to its installation folder. To be more precise, the firefox.exe process does not write there. It doesn't have the privileges to do that.

When you update to Firefox 12, the update installs a system service called maintenanceservice.exe. The service is configured to run with system privileges, so it can write to the installation folder. In theory, any unprivileged program can make this service run. But if its code is written properly - and I assume that it is - it won't ever do anything else than installing Mozilla-signed update packages. Therefore, you have a working security boundary, and no privilege escalation.

Your worries regarding the enterprise usage of Firefox are also misguided. Enterprise admins are not going to deploy this service anyway.

May 18, 2012 | 02:54 PM - Posted by Anonymous (not verified)

Hate to be a jerk, but it seriously bothers me that you would publish an article with statements like "I haven't had a chance to fully research this yet."

You very obviously don't understand how Firefox is actually doing this. At the very least add an "Update:" to your article, so you aren't leading people astray. Not everyone reads the comments below.

It appears you just wanted to pump out an article before having any sort of idea how it works.

May 18, 2012 | 04:05 PM - Posted by Jeremy Hellstrom

Well, since the "I still haven't fully tested it" line comes in the comments and not the article they'd already have to be reading the comments in order to see that.

As for testing ... yes I am planning on doing it however there is no way to approach the head of IT and ask to roll out FireFox 12 on the network so I can publish an article about it. Rolling it out for testing to the web crew on the other hand will eventually happen.

I do hope to update this once I have new information on how maintenanceservice.exe interacts with a secured PC but until then you are going to have to wait.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.