..part III FIREFOX AND SAFARI!!!!

Mozilla FiREFOX supports many features of the same features as Internet Explorer, with the exception of ActiveX and the Security Zone model. Mozilla Firefox does have the underlying support for configurable security policies (CAPS), which is similar to Internet Explorer's Security Zone model, however there is no graphical user interface for setting these options. We recommend looking in the Help, For Internet Explorer Users menu to help users understand how terminology differs between the two applications.

The following are some steps to disable various features in Mozilla Firefox. Note that some menu options may change between versions or may appear in different locations depending on the host operating system. You should adapt the steps below as appropriate.

To edit the settings for Mozilla Firefox, select Tools, then Options.

Firefox Options


You will then see an Options window that has a Category row at the top and the features for that category below. The first category of interest is the General category. Under this section, you can set Firefox as your default browser. Also select the option Always ask me where to save files. This will make it more obvious when a web page attempts to save a file to your computer.

Firefox General Options


Under the Privacy category, you will find options for browser History and Cookies. In the History section, disable the option to Remember what I enter in forms and the search bar. If the browser remembers these options, it can be a privacy violation, especially if the browser is used in a shared environment. Visited page and download history can be disabled here too.

In the Cookie section, select ask me every time. This will help make it clear when a web site is attempting to set a cookie.

Firefox Cookies

When the user is prompted, the contents of the cookie can be viewed and the user can select whether to Deny, Allow for Session, or Allow the cookie. This gives the user more information about what sites are using cookies and also gives more granular control of cookies as opposed to globally enabling them. Select Use my choice for all cookies from this site to have the browser remember your decision so that you will not be prompted each time you return to the site. Clicking the Allow for Session button will cause the cookie to be cleared when the browser is restarted. If prompting for each cookie is too excessive, the user may wish to select the Keep until: I close Firefox option. This will prevent web sites from being able to set persistent cookies.

Cookie confirmation


Many web browsers will offer the ability to store login information. In general, we recommend against using such features. Should you decide to use the feature, ensure that you use the measures available to protect the password data on your computer. Under the Security category, the Passwords section contains various options to manage stored passwords, and a Master Password feature to encrypt the data on your system. We encourage you to use this option if you decide to let Mozilla Firefox manage your passwords.

The Warn me when sites try to install add-ons option will display a warning bar at the top of the browser when a web site attempts to take such an action.

Firefox Passwords


The Content category contains an option to Enable Java. Java is a programming language that permits web site designers to run applications on your computer. We recommend disabling this feature unless required by the trusted site you wish to visit. Again, you should determine if this site is trustworthy and whether you want to enable Java to view the site’s content. After you are finished visiting the site, we recommend disabling Java until needed again.

Press the Advanced button to disable specific JavaScript features. We recommend disabling all of the options displayed in this dialog.

Firefox Web Features

Firefox Advanced Javascript


The Content section has an option to modify actions taken when files are downloaded. Any time a file type is configured to automatically open with an associated application, this can make the browser more dangerous to use. Vulnerabilities in these associated applications can be exploited more easily when they are configured to automatically open. Click the Manage button to view the current download settings and modify them if necessary.

Firefox Download Options

The Download Actions dialog will show the file types and the currently configured actions to take when the browser encounters such a file. For all listed file types, either select Remove Action or Change Action... to modify the action to save the file to the computer. This increases the amount of user action required to launch the associated applications, and will therefore help prevent automated exploitation of vulnerabilities that may exist in these applications.

Firefox Download Actions

Firefox Change Action


Firefox 1.5 and later include a feature to Clear Private Data. This option will remove potentially sensitive information from the web browser. Select Clear Private Data... from the Tools menu to use this privacy feature.

Firefox Clear Private Data

Firefox Clear Private Data

Because Firefox does not have easily-configured security zones like Internet Explorer, it can be difficult to configure the web browser options on a per-site basis. For example, a user may wish to enable JavaScript for a specific, trusted site, but have it disabled for all other sites. This functionality can be added to Firefox with an add-on, such as NoScript.

With NoScript installed, JavaScript will be disabled for sites by default. The user can allow scripts for a web site by using the NoScript icon menu. Scripts can be allowed for a site on a temporary or a more permanent basis. If Temporarily allow is selected, then scripts are enabled for that site until the browser is closed.

NoScript icon


Because many web browser vulnerabilities require scripting, configuring the browser to have scripting disabled by default greatly reduces the chances of exploitation. To extend this protection even further, NoScript can be configured to also block Java, Flash, and other plug-ins by default. This can help to mitigate any vulnerabilities in these plug-in technologies. NoScript will replace these elements with a placeholder icon, which can be clicked to enable the element. Click the NoScript icon and then click Options... to get to the NoScript configuration screen.

NoScript icon options

On the Plugins tab, select the options as follows:

NoScript Advanced Options

Aside from visiting web sites that are inherently malicious, users can also be put at risk when a legitimate, trusted site is compromised. For this reason, we recommend enabling the option to Apply these restrictions to trusted sites too. If this option is too intrusive, it can be turned off at the cost of increased risk.

C. Apple Safari

The Safari web browser supports many of the same features as Mozilla Firefox. The following are some steps to disable various features in Safari on Mac OS X. The options for Safari for Microsoft Windows may differ slightly. Also note that some menu options may change over time, and you should adapt the steps below as appropriate.

In order to change settings for Safari, select Safari then Preferences…

Note that on the Safari menu, you can also select the option “Block Pop-up Windows”. This option will prevent sites from opening another window through the use of scripting or active content. Be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.

Safari Preferences

Once you select the Preferences menu, the window below will open. The first tab to look at is the General tab. On this tab you can set up many options such as Save downloaded files to: and Open “safe” files after downloading. We recommend that you download files to a folder that you create for that purpose. We also recommend that you deselect the Open “safe” files after downloading option.

Safari General Preferences


The next section of interest is the AutoFill tab. On this tab, you can select what types of forms your browser will fill in automatically. In general, we recommend against using AutoFill features. If someone can gain access to your machine, or the AutoFill data files, then the AutoFill feature may allow them to use the stored credentials to access to other sites that they would not otherwise have the ability to access. However, if used with appropriate protective measures, it may be acceptable to enable AutoFill. We recommend using filesystem encryption software such as OS X FileVault along with the Use secure virtual memory option to provide additional security for files that reside in a user's home directory.

Safari Autofill


The Security tab provides several options. The Web Content section permits you to enable or disable various forms of scripting and active content. We recommend disabling the first three options in this section, and only enabling them based on site-specific cases. We recommend selecting the Block Pop-up Windows option. Remember that this option will prevent sites from opening another window through the use of scripting, or active content. Again, be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.

It is safer to use Safari without plug-ins and Java, so we recommend disabling the options Enable plug-ins and Enable Java. It is also safer to disable JavaScript. However, many web sites require JavaScript for proper operation.

In this dialog you can disable cookies and also view or remove cookies that have been set. In general we recommend disabling cookies, and enabling them only when you visit a site that requires their use. At this point, you should determine if the site is trustworthy and whether you want to enable cookies to view the site’s content. After you are finished visiting the site, we recommend disabling cookies until needed again. You can choose to only accept cookies from the sites that visit by selecting the Only from sites you navigate to option. This will permit sites that you visit to set cookies, but not third-party sites. Finally, we recommend selecting the Ask before sending a non-secure form to a secure website option. This will prompt you before sending unencrypted form data when viewing an HTTPS-secured web site.

Safari Security Settings

D. Other Browsers

Other web browsers may have similar options to those described above. Please refer to the browser documentation to determine which options are available and how to make the necessary changes. For example, the links below show where to find information for four popular web browsers:

Opera - http://www.opera.com/support/tutorials/security
Mozilla SeaMonkey - http://www.mozilla.org/projects/seamonkey
Konqueror - http://www.konqueror.org/
Netscape - http://browser.netscape.com/
Note that official support for Netscape has ended on February 1st, 2008. If you are using Netscape, we strongly recommend switching to a browser that is still supported.

IV. Keeping Your Computer Secure

In addition to selecting and securing your web browser, you can take measures to increase protection to your computer in general. The following are steps and links to information resources that will help you secure your computer.
  1. Read the Home Network Security and Home Computer Security documents.

  2. Enable automatic software updates if available

    Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor's web site. Read the manuals or browse the vendor's web site for more information.

    Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor's web site for information about automatic notification. If no mailing list or other automated notification mechanism is offered, you may need to check the vendor's web site periodically for updates.
  3. Install and use antivirus software

    While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Many antivirus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. A partial list of antivirus vendors is available is available on the CERT/CC web site.
  4. Avoid unsafe behavior

    Additional information on this topic can be found in the Home Network Security document.
    • Use caution when opening email attachments or when using peer-to-peer file sharing, instant messaging, or chat rooms.
    • Don't enable file sharing on network interfaces exposed directly to the internet.
  5. Follow the principle of least privilege — don't enable it if you don't need it

    Consider creating and using an account with limited privileges instead of an 'administrator' or 'root' level account for everyday tasks. Depending on the operating system, you only need to use administrator level access when installing new software, changing system configurations, etc. Many vulnerability exploits (e.g., viruses, Trojan horses) are executed with the privileges of the user that runs them — making it far more risky to be logged in as an administrator all the time.

Thanks to all real security experts and newbies !!!

Juan Carlos García

Entradas populares de este blog

SHELLCODES por un tubo ....

Proteger ASP.NET de inyecciones SQL How T0? BEST PRACTICES

CERTIFICACIONES DE SEGURIDAD