Re: Firefox 3 honors Windows Security Zones... in Security

Re: Firefox 3 honors Windows Security Zones...

Sun, 29 Jun 2008 17:03:03 EDT

said by Mele20 :

There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP.

Thank you for the info. I'll check up on it.

Re: Firefox 3 honors Windows Security Zones...

Sun, 29 Jun 2008 17:00:41 EDT

BandHeight :

said by Herohtar :

You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning.

More information can be found here: »blog.case.edu/bes7/2008/04/21/re···refox_30

It works partially:

said by BandHeight :

To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:

browser.download.manager.scanWhenDone false

is problematic:

- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).

Re: Firefox 3 honors Windows Security Zones...

Sun, 29 Jun 2008 10:50:57 EDT

jmorlan :

said by HA Nut :

None of this discussion affects XP Home right? Since it doesn't support Group Policies?

XP Home is affected. It's not Group Policies. It is about the security tab settings under "Internet Properties" accessible via Control Panel or IE. There are four zones; Internet, Local Intranet, Trusted Sites & Restricted Sites. FF3 now pays some attention to those security settings.
--
"All men are equal before fish." (Herbert Hoover)

Re: Firefox 3 honors Windows Security Zones...

Sun, 29 Jun 2008 08:09:11 EDT

HA Nut : None of this discussion affects XP Home right? Since it doesn't support Group Policies?

Re: Firefox 3 honors Windows Security Zones...

Sat, 28 Jun 2008 05:14:11 EDT

anon : You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning.

More information can be found here: »blog.case.edu/bes7/2008/04/21/re···refox_30

Re: Firefox 3 honors Windows Security Zones...

Sat, 28 Jun 2008 01:38:46 EDT

Mele20 :

said by BandHeight :

Keep digging around. Something's still a little funky.
:)

Avira is now invoked on Vista by Fx3 Download Manager. I watched it scanning (at least Download Manager showed my AV scanning so I assume it was scanning) during a download of a Microsoft Patch a little while ago. The patch is for IE8 which I also have on a machine with XP so I just now downloaded the patch on that machine. Avira was not invoked during the download by Fx3 Download Manager. I have the same settings for Firefox and IE on both versions of Windows.

There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Fri, 27 Jun 2008 23:01:28 EDT

OZO :

said by sivran :

Thankfully my primary browser, SeaMonkey, doesn't bug me with such things. ;)

I see your point.

I do not support the use of ADS at all. I think with introducing those ADS'a in SP2 m$ has actually opened Pandora's box. ADS's may be very easily misused. I hope we realize that, for example, under the Notepad.exe name a smart guy may hide folders and folders of any files (creating actually a whole new FS). And with current state of public knowledge and tools to find and work with ADS's - it's obvious to me that it's a dangerous thing that just wait to show its ugly head...

I try to keep amount of ADS's on my NTFS at minimum level. I do not allow IE to create ADS's on my downloaded files. I know, that I've downloaded them. And I do not need any reminder about that. There are probably a few files that currently have ADS's on my HD. And I watch it carefully.

That's why I think this tendency of Mozilla to embrace this move towards spreading ADS's in not the right thing for computer security. But, of cause, they may don't care...
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Fri, 27 Jun 2008 17:06:41 EDT

sivran : Oh, right. That thing. For some reason, I was thinking it was an actual toolbar or something. Opera 9.5 does the same thing. I find it useful on rare occasions but annoying most of the time. I'd want a way to quickly (read: not involving about:config) turn it on and off. Maybe even have it only behave that way if I typed words, rather than an address.

Thankfully my primary browser, SeaMonkey, doesn't bug me with such things. ;)
--
Think outside the fox...Seamonkey

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 21:44:55 EDT

BandHeight :

said by sivran :

Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.

I'll bump the font so others can hear as well. :)

It's the term being applied to the location bar (I think it was referred to, perhaps unofficially, as the "almighty bar" during the beta phase ... now its just "awesome").

There have been many complaints about the location bar in FF 3.0, some involving its appearance (without mods, it takes up a lot of real estate), some involving the search algorithm (it picks up a lot more results that some people don't want included), some involving the fact that it lists all URLs and not just the ones you manually type in, etc.

See here for some ways to get it back to the old-style as much as possible (the search algorithm is not modifiable, however):

»How to get yellow address bar with SSL in firefox 3

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 21:00:42 EDT

sivran :

said by SUMware :

said by BandHeight :

said by SUMware :

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings. :)

Exactly. :)

Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.
--
Think outside the fox...Seamonkey

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 20:41:24 EDT

SUMware :

said by BandHeight :

said by SUMware :

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings. :)

Exactly. :)

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 20:24:15 EDT

BandHeight :

said by SUMware :

... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.

Excatly.

said by SUMware :

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings. :)

Edit:

I assumed you read all my posts, which is the wrong assumption, so I'll clarify here that my primary OS is Linux as well (Arch + Gnome or Openbox, though; haven't used SuSE since version 8.something and never installed OpenSuSE, so I don't know what FF 3.0 looks like in KDE if that is what you are using).

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 20:12:09 EDT

SUMware :

said by BandHeight :

FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion).

Mine, too. FF3 flows into Linux nicely on my shiny new openSUSE 11.0 IMO...

... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.

[but i don't think that the 'awesome bar' is]

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 19:12:48 EDT

BandHeight :

said by OZO :

Then it comes to browsers's developers attitude (or their perspective).

That is most important of all. So far, I'm still okay with FF, even with the new features (or regressions, again, depending on perspective). I've worked around things I don't like and embraced the things I do like.

I have no control over developers' direction and intentions for future versions of FF. There are some things I see currently as potentially troubling indications of the direction things are heading, but I'll react when appropriate (perhaps, as you say, by switching browsers).

said by OZO :

said by BandHeight :
- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).

Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?

Well, by least restrictive in this context, I could have meant any of the zones that have no impact on, or relevance to, file downloads or attachments. So, looking at the table of zones:

I could have been referring to anything below Zone 3.

And as far as I can tell, Zone 3 is the only identifier tagged onto files per policy as it is the only one that may require further action (e.g., prompting upon execution) once it is downloaded (see tangential note below).

said by OZO :

said by BandHeight :
Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.

Now, that's finally the right direction to move :). I mean to make FF portable. But then forget about zone configuration which is saved in registry.

»portableapps.com/
»www.u3.com/

Note:

Minor points of interest:

- you can turn your list of Trusted Sites into Restricted Sites by setting "Launching applications and unsafe files" to "Disable" under the Trusted Sites tab

- you can turn your list of Restricted Sites into Trusted Sites by setting "Launching applications and unsafe files" to "Enable" under the Restricted Sites tab (this will get you a warning that "Your Security Settings Put Your Computer At Risk").

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 18:51:22 EDT

redxii : That's funny, I thought I was using Firefox, not IE.

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 17:33:08 EDT

OZO :

said by BandHeight :

What you say:
...
What an IT admin might say:
...
It's all about perspective, I suppose.

I agree. Then it comes to browsers's developers attitude (or their perspective). They may say - IT admin is right, and therefore has all the rights, including an IT admin wishes - "I want to know all your browsing history - past, present and future (saved links and autocompltetes)", "I need to know all your passwords that in case you forgot it I'll help you...", etc.

It's done in IE (and that's the reason why I'm looking for a substitute). If it's FF future policy as well, then well... It's good for a corporate environment, but certainly not for a private user.

- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).

Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?

Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.

Now, that's finally the right direction to move :). I mean to make FF portable. But then forget about zone configuration which is saved in registry.
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 16:45:39 EDT

BandHeight :

said by Mele20 :

I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file).

Cool.

said by Mele20 :

... and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt ...

Hmm. Changing "Launching applications and unsafe files" to "Disabled" isn't unsafe (it's actually the "safest" setting) and shouldn't be issuing a warning in your GUI (e.g., "Your security settings put your computer at risk" should not show up). Setting "Launching applications and unsafe files" to "Enabled (not secure)", as the name may suggest, does cause the settings to be flagged as unsafe.

Anyway, yes, setting "Launching applications and unsafe files" to "Prompt (recommended)" is what you need for the test you are conducting.

said by Mele20 :

... then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right?

You should be getting the prompt after executing the file. Keep digging around. Something's still a little funky.
:)

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 16:32:52 EDT

BandHeight :

said by OZO :

And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry...

We noticed it. But from a different angle.

What you say:
"I can't run my browser in this [potentially] unsafe environment because it will adopt that environment's settings.

What an IT admin might say:
"I don't want you to run your browser on my machine without adopting the environment's settings because your browser's settings may be unsafe. More importantly, your USB drive might be infected, blah blah..."

It's all about perspective, I suppose.

BUT ... does it matter anyway (from your perspective)? Let's see:

- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).

- I don't really know how FF 3.0 would behave as a portable application. It may "know", even without modification, it's not installed on the host and therefore does not change its behavior to match the host machine's policy.

Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.

To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:

browser.download.manager.scanWhenDone false

is problematic:

- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).

Maybe there is already another option somewhere that does what I suggest, but I am unaware of it.

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 15:06:24 EDT

OZO : And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry...

P.S. As you probably has noticed from all my posts (not only from this thread) - my main browser is IE. I use FF as portable browser, to test compatibility issues and to visit sites that do not offer proper IE support (yes, there are some).
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 09:20:21 EDT

Ctrl Alt Del :

said by OZO :

You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser.

Let me ask you a question - why FF doesn't use that important component then?

Because Firefox uses its own HTML rendering engine: Gecko. Firefox is an entire web browser with no dependencies on external components. If Firefox used shdocvw.exe, then it could become another browser that is basically a new shell on top of the core from IE (Maxthon, MyIE).

This Wikipedia article does a good job at describing the IE architecture: »en.wikipedia.org/wiki/Internet_E···itecture

Files hosted by the Internet Explorer main executable, iexplore.exe:
- WinInet.dll: handles HTTP and FTP.
- URlMon.dll: handles MIME-type stuff.
- MSHTML.dll: contains the Trident rendering engine which is responsible for displaying the pages on-screen and handling the Document Object Model of the web pages.
- ShDocVw.dll: provides the navigation, local caching and history functionalities.
- BrowseUI.dll: responsible for the browser user interface, including the browser chrome, which houses all the menus and toolbars.

ShDocVw.dll also apparently contains the API for the Attachment Manager. I guess it made the most sense to stick a feature that deals with downloaded files in a DLL that is used by IE.

said by OZO :

Some browsers (e.g. Maxthon or MyIE) do benefit from that component (shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)?

Because it's good to have choice? Yes, Firefox is a different web browser with its own rendering engine. But, that's why we have web standards. Some web browsers aren't as good as others, but aside from nuances, both give you a webpage with the important stuff in the right place.
--
less talk, more music

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 00:51:52 EDT

BandHeight :

said by OZO :

What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean).

Yes. It goes much deeper than that. My proposal concentrated on the ability to cleanly and clearly provide a means to turn off the functionality. Changing the value to "true", however, does get us back to the question of, "What interface do we use to change the settings?". For better or for worse, for now it is only available through the Windows interface.

said by OZO :

And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion.

Nothing wrong with a strong opinion.

"Integration" brings some strongly negative connotations in the context of Internet Explorer. Integration that forces users into something they may not wish or that stifles fair trade and competition is the kind we don't want to see. On the other hand, integration can be good, integration has many different tiers from loose-integration to breaks-if-you-remove-it-integration, and all software that is installed on any platform has to "fit in", so to speak, on some level to even run.

A very simple and benign bit of integration, I think you will agree, is that FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion).

Let's just say that integration is an integral (pun intended) part of computing. The good news in the case under discussion here is that the integration does not approach the level of integration (the really bad kind) usually implied when discussing IE and Windows.

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 00:37:14 EDT

Mele20 : I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file).

I'm embarrassed to say that the problem was that I hardly ever open IE8 because it is soooo crippled (back button doesn't work, can't select part of auto quote here to delete, can't, can't, can't, ...about all IE8 can do unless you emulate IE7, which I don't want to do, is display a page and you can read the page but not do anything and not want to use the back button either). So, because I hardly ever open it, I was under the impression that I had changed the IE setting back to prompt. But evidently I had not as when I finally opened IE8 a few minutes ago, it wouldn't load my tabs and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt, I tried Fx3 and downloaded an eicar zip file (with Avira Guard disabled so I could download it) and then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right?

(Fx3 is acting nutty again and it continually loads this site and others but this site is the worst. I switched to my host computer with Fx 1.5 and this site loads just fine. IE8 is continually loading this site also on my guest machine).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Thu, 26 Jun 2008 00:08:30 EDT

OZO : What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean).

E.g. how FF suppose to put variety of web sites into different security zones (as a part of zones security management) or how they even define them (zones) with security settings. Where is the dialog box that will be offered to FF users to change all (and there are plenty) security settings for different zones. Saying - open IE (or use Control Panel to run "Internet Properties" dialog box, which is the same) and adjust those settings, I hope, is not an option here... And I agree with you that a separate FF interface may be more confusing than helpful in some cases..

That why I've said earlier - is it the right direction to move for FF? And I'm not positive that it is...

And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion.
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 23:34:33 EDT

BandHeight :

said by OZO :

Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE?

said by OZO with strike-through / emphasized correction by BandHeight :

Again, if FF developers want to support security zones that come with IE Windows and is made available to all applications through the Windows API, how will they manage those zones? Via IE?

I stated in my very first post (referring to the MozillaZine link that directs the user on how to change settings):

said by BandHeight :

Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy.

However, despite its drawbacks and upon further reflection, I think ultimately that there are so many different places to change related settings that adding to this with a separate FF interface may be more confusing than helpful in some cases. For example, a separate FF interface would give the illusion that its settings only affected FF, but integration with the system via the Windows APIs mean that changing them in FF changes them for all applications that use the API. That by the way is at the heart of the argument that this is not an IE-only policy. Changing the settings, regardless of where they are set, impact all applications that use the APIs.

Windows provides a number of generic and semi-generic places to change zone policy and related settings outside of Internet Explorer as well as directly through Internet Explorer:

- Internet Options GUI via the Control Panel
- Group Policy console
- Directly editing the registry
- Internet Options GUI via Internet Explorer menus

Using the Windows interfaces directly also reinforces that FF is integrating into the existing system rather than just recreating a different version of it.

I can definitely understand your point of view, and I believe that behind the scenes, there was an even more heated debate among the Mozilla team on how to proceed (or to even proceed at all) with this functionality.

Just as a final note (final ... hmm, I doubt it), I do think a Master ON / OFF switch in the About:Config interface that is not tied to the AV scanner or any other option would be very appropriate. Something along the lines of:

security.policy.honorWindows false

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 22:33:14 EDT

OZO : Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE?
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 22:28:19 EDT

OZO :

said by Ctrl Alt Del :

shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc.

You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser.

Let me ask you a question - why FF doesn't use that important component then?

Isn't that because the security model of IE (based on mentioned component) is flaky (as many of users see it, I'm not one of them, BTW) and over-convoluted (as I see it) to the level that the user needs something different? If the reason to develop a new browser is not an offering of a new security model, then why do that at all? If the answer is "yes, it's not what we need", then why there is an urge to repeat the same security model in the FF.3?

Some browsers (e.g. Maxthon or MyIE) do benefit from that component (shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)?

P.S. Sorry, but this post looks more like a rant from my side leading away from the subject of the thread, so you may want not to answer the questions above...

--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 20:46:23 EDT

BandHeight :

said by OZO :

No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS.

No. In this case, I am trying to make a distinction between IE and the rest of the components that ship as part of Windows. Here is how I tried to delineate for purposes of this discussion (for another topic, I may not have taken this tack):

- Apps installed on Windows that may interact with the zone policy and attachment policy, i.e., Internet Explorer, FireFox, OutlookExpress, Outlook, etc.

- The rest of the system ("the OS") including the kernel, the shell, user interface, etc.

The APIs that are available to IE with regard to zone policy and attachment policy are available to all installed applications via the Windows API.

The zone policy and attachment policy require at minimum two things:

1. a mechanism to tag files with zone information per policy
2. a mechanism to interpret the zone information and respond accordingly per policy

Item 1 is most logically taken care of by the client application that first acquires the file. However, that is not limited to Internet Explorer, and any application can use the API.

Item 2 happens outside the originating application, and furthermore, does not care how the files came to be tagged. More explicitly, this function does not care whether the tags came from IE, FF, or whether they were manually tagged.

For me, that suggests a system policy not an Internet Explorer-only policy. An expectation that all files on the system respond to my security settings in the same fashion regardless of which application downloaded them is not an unreasonable expectation. I believe that is why Mozilla chose to implement its features in FF 3.0.

said by OZO :

It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!!

But the API provided by Windows to determine the zones and tag the files is available to any application that wishes to use them. And components of the operating system do know zones because part of the whole security process is to tag the files so the zone can be known outside the application that originally acquired the file.

said by OZO :

Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...

I agree with you that the zone stuff doesn't work from a command prompt, but that was originally pointed out to MS as a security flaw when SP 2 was first released. MS was evidently happy to have only the GUI respond to the policy. I have never argued that the implementation is absolutely secure; that is another topic.

said by OZO :

You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category.

I'm not. I use Arch Linux as my primary system, and I am pretty careful about discussions involving various components. I don't think people generally view Windows XP components as so separable, but for this discussion (and for legal reasons - see US vs Microsoft :)), Internet Explorer is just a browser, separate and apart from the rest of the OS (per my above definition).

said by OZO :

Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE).

Mozilla did have a different perspective. It ignored the security model of the platform on which it was installed up until version 3 (if it was installed on a Windows PC). The developers likely felt that IT admins were ignoring FF in favor of IE because FF heretofore ignored the policy. Is that a correct assumption? I don't know. But it seems to me that what they have decided to do is not a simulation of the policy, it is an integration into the policy using the available APIs.

Edit:
Fixed paragraph alignment, spelling

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 20:33:10 EDT

Ctrl Alt Del :

said by OZO :

No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites.

IAttachmentExecute is exposed through the file shdocvw.dll (Source: »msdn.microsoft.com/en-us/library···85).aspx )

Shdocvw.dll supplies the functionality associated with navigation, in-place linking, favorites and history management, and PICS support. This DLL also exposes interfaces to its host to allow it to be hosted separately as an ActiveX control. The Shdocvw.dll component is more frequently referred to as the WebBrowser Control. In-place linking refers to the ability to click a link in the HTML of the loaded document and to load a new HTML document in the same instance of the WebBrowser Control. If only Mshtml.dll is being hosted, a click on the link results in a new instance of the browser. (Source: »msdn.microsoft.com/en-us/library···85).aspx )

However, IAttachmentExecute is not tied, in any way, to Internet Explorer. Internet Explorer makes use of IAttachmentExecute from a file that deals with HTML and hyperlinking. IExplore.exe is at the top level; it is a small application that is instantiated when Internet Explorer is loaded. This executable application uses Internet Explorer components to perform the navigation, history maintenance, favorites maintenance, HTML parsing and rendering, and so on, while it supplies the toolbar and frame for the stand-alone browser. IExplorer.exe directly hosts the Shdocvw.dll component. (Source: »msdn.microsoft.com/en-us/library···85).aspx )

shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc.

That is because it is the responsibility of the launcher (Windows Explorer) to make use of IAttachmentExecute. Old code or code that ignores this feature do not explicitly make use of the Prompt method. (Source: »msdn.microsoft.com/en-us/library···85).aspx )

Microsoft probably didn't want every single executable to be put through IAttachmentExecute (which would be stupid, costly, and slow), so instead of putting in deep into the OS (kernel?), it's a higher level API that should be called before the OS runs the downloaded file.
--
less talk, more music

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 16:07:25 EDT

OZO :

said by BandHeight :

I think the misunderstanding is that Zone Policy is not an option or function of the browser (not IE or FF or any other browser). It is the function of the operating system.

No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites.

It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!! The fact that there are two programs (IE and WE) that have been developed by the the same manufacturer that made the OS itself doesn't make it so.

- Any execution of a file marked with an ADS Zone 3 tag will cause a prompt to be issued by the operating system, not by the specific internet browser (e.g., FF or IE) nor by a specific file browser (WE, PowerDesk, etc.).

Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...

You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category.

Finally, why should FF 3.0 developers try to recreate the whole system over again as you seem to suggest?

Again, because it's not a function of OS to differentiate web sites(!) on different categories. And again, it's done not by the OS, but by its web browser IE (adding ADS to downloaded files) and by its program manager - WE (interpreting ADS when it's been asked to execute the file). Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE).

And finally, if FF "honors" security zones on IE, don't you think it should offer a way to configure those zones. Does it have plans to do so? I don't think so... Thus, is it the right direction to move for FF?
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 11:16:20 EDT

HA Nut : Thanks to all for the information to date. I have learned a great deal. :) When FF 3 was said to have hundreds (or was it thousands?) of changes over FF 2, they weren't kidding!

I found it interesting that FF 3 is using the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ScanWithAntiVirus registry entry. Also interesting is that some well known/well thought of AV makers don't support the feature (two examples... BandHeight's Avira and my NOD32.) (In my own case, I'm not too concerned about it as I know that NOD32 runs an HTTP scanner and scans all downloaded files anyway.)

It was great to finally understand why Windows Defender found the Eicar test virus (when I have downloaded it in the past on PCs with Defender on them.) Normally, Defender signaled on system changes, not on file downloads.

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 07:30:08 EDT

BandHeight :

said by Mele20 :

The important thing here is that the Attachment Manager in XP Pro SP2 doesn't work. I've read the Microsoft article and it doesn't work. I've checked group policy and under Administrative Templates: Attachment Manager it says:

But Windows does not mark the file attachments on my XP computer whether I use IE8 or Fx3.

I don't know what else to tell you or how many screen-shots have to be posted before you recognize that there must be something different about the way you have your computer set-up that is causing your particular issue. A blanket statement that it is "not working" in XP SP 2 cannot be made.

I'm not saying these apply to you, but here may be some possibilities as to the behavior you are seeing (or not seeing):

- The files are being saved to a non-NTFS partition.

- Changing any relevant OS settings may require you to close the browser and restart it for the changes to become effective (be sure all associated windows, e.g., the DL Manager Window or Add-ons window) are also closed.

- As I found after testing, and as I mentioned here in response to HA Nut's question about how the AV scanner works (emphasis added here):

said by BandHeight :

It uses the IAttachmentExecute::CheckPolicy method that has been discussed in this thread (and falls back on IOfficeAntiVirus if IAttachmentExecute::CheckPolicy isn't available ... at least I think the fallback made it into the final version). If I've followed the bug reports correctly, IOfficeAntiVirus was the early go-to method, but was swapped in favor of IAttachmentExecute::CheckPolicy for various reasons later on.

I'm sure you asked about this without realizing that the Zone policy adherence and the anti-virus scanning functionality are tied together by virtue of the OS methods they utilize.

That has a lot of implications, but what it means in practice is that if you set the FF 3.0 About:Config setting, "browser.download.manager.scanWhenDone", to false no ADS tags will be written and no download scans will occur.

I cannot speak about IE 8, and anything it does in beta stage shouldn't be extrapolated to "XP SP 2" doesn't work. This is especially true since you still haven't been able to get other browsers to behave the way we have shown you they can behave on SP 2.

said by Mele20 :

the policy would still be irrelevant and not work because I routinely remove all ADS from any downloaded file BEFORE I scan with my AV and before I execute it.

This is a personal choice. I respect it.

said by Mele20 :

Your on access AV will scan it so what is the point of the Access Manager and what is Mozilla's point in trying to use it? It is absurd redundancy.

I don't find it necessary, either, on my system because I do run on-access monitors. However, I do recognize that some people may not run on-access scanners for any number of reasons, so I certainly cannot agree that it is "absurd", and it is only "redundant" for some people. Lots of download managers provide this functionality, albeit not through OS methods (usually via the user hard coding AV command lines into the DL manager's options). It's there if the user wishes to use it.

said by Mele20 :

We already have several questions in the Avira forum about how awful it would be if Webguard scans the file, then the Fx3 Download Manager calls Avira to scan it again ...

I am not willing to make any generalized statements, but in my brief experience with testing, (as I stated previously) Avira Free does not seem to be communicating with the OS in such a way that FF 3 or IE 7 can call it anyway. I do , however, know for a fact that the scanning feature is working in IE 7 and FF 3.0 because another malware product did work (specifiaclly, Windows Defender).

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 06:20:58 EDT

Mele20 : The important thing here is that the Attachment Manager in XP Pro SP2 doesn't work. I've read the Microsoft article and it doesn't work. I've checked group policy and under Administrative Templates: Attachment Manager it says:

Do not preserve zone information in file attachments: NOT Configured and then it says:

"If you do not configure this policy setting Windows marks file attachments with their zone information." But Windows does not mark the file attachments on my XP computer whether I use IE8 or Fx3.

Even if ADS were added to downloads (and that doesn't happen), the policy would still be irrelevant and not work because I routinely remove all ADS from any downloaded file BEFORE I scan with my AV and before I execute it. I think the Attachment Manager is not a good idea because it uses ADS which most of us would routinely remove as ADS could be malware so the wise thing is to remove all ADS from any newly downloaded file before executing.

I also don't see any point in Fx3 Download Manager calling your AV to scan the file as your AV will scan the file before it executes whether you elect to manually scan the file or not. Your on access AV will scan it so what is the point of the Access Manager and what is Mozilla's point in trying to use it? It is absurd redundancy. We already have several questions in the Avira forum about how awful it would be if Webguard scans the file, then the Fx3 Download Manager calls Avira to scan it again and then the user goes to execute it and Avira scans it again and inbetween all that all users practicing safe hex have scanned also with Luke Filewalker. Geeezzzz....a ridiculous amount of scanning there. It looks to me like Mozilla just wanted something to puff about that sounded good but really is not needed and could, like the Avira poster was worried about, cause unnecessary slowdowns. ONE scan of the file by Guard as it goes to execute is all that matters and nothing else is needed. Calling Luke Filewalker is not sensible because it is a weak scanner and it might say the file is clean when it isn't.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 04:48:35 EDT

BandHeight :

said by OZO :

That IE option actually doesn't regulate downloading process at all. The option defines how WE (Windows Explorer, and not Internet Explorer) will react when user double click on ADS marked file. Accordingly to the option setting WE will run the file without any warning (if option is set to 'Enable'), will issue a prompt (if option set to 'Prompt'), and will send error message and restrict execution of the file (if the option is set to 'Disable').

said by OZO :

Can they just use their own an internal FF option for defining the process of creation these ADS's or they can not? It's a simple and obviously the right way to do. Surely it's better then to start configuring one browser via UI of another one... (which is completely inappropriate, IMHO).

I think the misunderstanding is that Zone Policy is not an option or function of the browser (not IE or FF or any other browser). It is the function of the operating system.

- Yes the Zone ADS is set and attached to a file by a client that understands and adheres to the policy. The client understands the policy and knows the zone from which the file originated. Therefore it is necessary that the client apply the ADS stream to the file at this point, but at the instruction of the operating system's set policy.

- Any execution of a file marked with an ADS Zone 3 tag will cause a prompt to be issued by the operating system, not by the specific internet browser (e.g., FF or IE) nor by a specific file browser (WE, PowerDesk, etc.).

- If the Zone Policy is set to 4 (block), the operating system blocks the download through the client (no ADS can be set, obviously, as I've previously mentioned, since no file is actually downloaded). Both FF 3.0 and IE 7 respond in the same way.

Both Ctrl Alt Del and I are aware of the Attachment Manager Group Policy. I discussed it and supplied this link:

»support.microsoft.com/kb/883260

in an earlier post. Ctrl Alt Del re-posted the link and made some further observations in a follow-up post to mine.

The Attachment Manager Group Policy of 'Do not preserve zone information in attachments', when enabled, does indeed prevent the Zone ADS from being added to files by clients, but you seem to think only Internet Explorer follows that policy. That is incorrect. Any application (including FF 3.0) that adheres to Zone Policy via the operating system methods previously discussed, also honors not preserving the ADS information. Why not just try it and see for yourself? Im pretty sure this is what you will find:

- If you download a Zone 3 file with FF 3.0 (or IE 7, etc.), the file will no longer have the ADS tag added if the 'do not preserve zone information' policy is enabled prior to the download attempt.

- Any file that was downloaded under Zone 3 prior to enabling the 'Do not preserve zone information' Policy will still have the ADS stream embedded in the file (the policy does not remove existing tags), and the OS will still, appropriately, issue a prompt upon execution.

So, any application that honors the operating system's Zone Policy correctly (including FF 3.0 and IE 7) will also honor the Attachment Manager Group Policy. Behavior is [mostly*] consistent across clients because it is a function of the operating system, not the client.

In simplest terms:

Once the client sets the ADS tag (or not) or blocks a download per the operating system's current policy, the client is no longer responsible for any prompt that a user might see. It is then up to the operating system to interpret the file tags (if they exist) and correlate them with current policy.

Finally, why should FF 3.0 developers try to recreate the whole system over again as you seem to suggest? Either they decide to have the client adhere to the design of the platform on which it is installed, or they decide to not adhere to it at all (as with earlier FF version), but recreating their own parallel / redundant system probably never occurred to them as a viable option.

* Note:

I say "mostly" because their may be exceptions. For example, as I've mentioned (and supplied screen-shots, as well, in a previous post), FF 3.0 and IE 7 both respond to Zone 4 by blocking downloads, but the way they inform the user of the blocking is different (i.e. the GUI presentation in this case is not consistent). Under this scenario where no tags are added (since no file is downloaded), and the client still has some independent control over the process, this seems perfectly reasonable.

Re: Firefox 3 honors Windows Security Zones...

Wed, 25 Jun 2008 03:03:36 EDT

OZO : Creation of :Zone.Identifier ADS's for new files does not depend on the IE security option "Launching applications and unsafe files". I don't see why FF guys start to rely on this option.

That IE option actually doesn't regulate downloading process at all. The option defines how WE (Windows Explorer, and not Internet Explorer) will react when user double click on ADS marked file. Accordingly to the option setting WE will run the file without any warning (if option is set to 'Enable'), will issue a prompt (if option set to 'Prompt'), and will send error message and restrict execution of the file (if the option is set to 'Disable').

Again, IE option "Launching applications and unsafe files" defines the process of launching (by WE) files, already being marked with :Zone.Identifier ADS, and not the creation of that ADS at download time! Do they, FF developers know that? It looks like they don't :(. By this new screwed implementation - they additionally messing things... As I've mentioned in my first post there are special ways already designed to change the behavior of IE in this respect (to create the ADS for download file or do not).

Can they just use their own an internal FF option for defining the process of creation these ADS's or they can not? It's a simple and obviously the right way to do. Surely it's better then to start configuring one browser via UI of another one... (which is completely inappropriate, IMHO).
--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Tue, 24 Jun 2008 10:44:31 EDT

Ctrl Alt Del :

said by Mele20 :

What "feature" was added in SP2?

In Windows XP Service Pack 2, Microsoft added something called the Attachment Manager.

said by »support.microsoft.com/?kbid=883260 :

The Attachment Manager in Windows XP SP2 can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet.

If the Attachment Manager identifies an attachment that might be unsafe, the Attachment Manager prevents you from opening the file, or it warns you before you open the file.

The Attachment Manager uses the IAttachmentExecute application programming interface (API) to find the file type, to find the file association, and to determine the most appropriate action.

Microsoft Outlook Express, Microsoft Windows Messenger, Microsoft MSN Messenger, and Microsoft Internet Explorer use the Attachment Manager to handle e-mail attachments and Internet downloads.

When you save files to your hard disk from a program that uses the Attachment Manager, the Web content zone information for the file is also saved with the file. For example, if you save a compressed file (.zip) that is attached to an e-mail message to your hard disk, the Web content zone information is also saved when you save the compressed file.

More simply...

said by »smallvoid.com/article/ie-attachm···ger.html :

Windows XP SP2 includes a new feature called Attachment Manager, which monitors files downloaded from the Internet or received as e-mail attachments.

When a downloaded file is saved to a disk formatted with NTFS, then it will update the meta data for the file with the zone (Internet- / Restricted-zone) it was downloaded from. The meta data is saved as an Alternate Data Stream (ADS), which is a feature of NTFS where the same filename can be used to cover multiple data streams.

For example, if you use Windows XP SP2's Internet Explorer to download an executable, Internet Explorer will tag that file as potentially dangerous using Attachment Manager's IAttachmentExecute. Then when you try to run that executable, Windows will show the following dialog:

Because the Attachment Manager was added in XP SP2, when you said:

I understand what Bandheight said. My reply is that it is not true that Fx3 is placing ADS on downloads. It is not doing for me. Therefore, this feature does not work. Bandheight has Service Pack 3 for XP. I have SP2. Maybe Service Pack 3 is required for this to work? If so, that is another good reason to not install SP3...getting too bossy.

Was incorrect. Service Pack 3 is not required, Service Pack 2 is, which you already have.

Now, Firefox 2 did not use the Attachment Manager at all. If you downloaded an executable with Firefox 2, you never saw that Security Warning dialog. However, Firefox 3 does use the Attachment Manager with the default settings. When you download an executable with Firefox 3, you will get the same Security Warning dialog that IE would show.

Both websites in the quotes above show the Group Policy settings or Registry keys that control this feature.
--
less talk, more music

Re: Firefox 3 honors Windows Security Zones...

Tue, 24 Jun 2008 05:28:25 EDT

BandHeight :

said by HA Nut :

Other than the about:config entry where the AV scanning is set, has anyone read exactly how FF 3 goes about determining how to call up the AV and run the proper command(s) to actually perform the scan? I've ran FF 3 with the scanner on and off and saw no perceptible difference.

It uses the IAttachmentExecute::CheckPolicy method that has been discussed in this thread (and falls back on IOfficeAntiVirus if IAttachmentExecute::CheckPolicy isn't available ... at least I think the fallback made it into the final version). If I've followed the bug reports correctly, IOfficeAntiVirus was the early go-to method, but was swapped in favor of IAttachmentExecute::CheckPolicy for various reasons later on.

I'm sure you asked about this without realizing that the Zone policy adherence and the anti-virus scanning functionality are tied together by virtue of the OS methods they utilize.

I had some additional bug reports to toss at you for further reading, but I saved them in a FF session on another PC which I can't get to right now.

If FF 3 is not scanning your files even with the About:Config setting turned on, it's possible that your AV isn't using one of the two aforementioned methods for communication with the OS. For example, I normally use AntiVir Personal Free Edition, and even though AntiVir appears in the Security Center GUI, it does not work as a DL scanner for the browsers (FF 3 nor IE 7).

It seems that if an AV is designed to work with these methods, the AV has to register itself and enable a particular Group Policy:

User Configuration\Administrative Templates\Windows Components\Attachment Manager

Doing so automatically creates this registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ScanWithAntiVirus = 3

(*see here for some interesting stuff:
»support.microsoft.com/kb/883260)

I checked my system, and the "Attachment Manager" Group Policy was disabled and the reg entries did not exist at all. However, even manually setting the Group Policy makes no difference with AntiVir Free, so there is more to its failure to work with IE 7 and FF 3 than that particular setting (i.e., it seems it was not designed to communicate with the OS in a way that the browsers need ... and it's highly possible that some FF issues may still need to be worked out, though that doesn't explain why AntiVir doesn't work with IE 7, either).

So, for testing, I installed Windows Defender (which automatically sets the above Group Policy and registry entries upon installation, by the way), and it works fine as a download scanner with both IE 7 and FF 3.

Beyond that, there still seems to be some tidying-up of the FF 3 display and behavior relative to the scanning process as it seems odd and inconsistent to me. I don't have time to expound fully, but here are a few examples:

- the DL Manager has a scanning-progress animation, but it only appears AFTER the AV has found the file to be suspect; it does not appear at all if the file is clean.

- the animation will time-out if the user doesn't respond to the AV prompt (i.e., the animation stops and the file is placed on the DL Manager's list)

- the DL Manager listing shows the file as if it were any other file, even if it was found to be malware by the AV (no big, Red X image or note that the file was found to be malware).

Just passing the file path parameter to the AV and retreating into the background is fine with me; however, providing a scanning-progress animation implies that the DL Manager is actually communicating with the AV for a purpose, otherwise it's just like a fake intake-scoop and a loud muffler on a Toyota Tercel. All show. And not a very good show at that. :)

FF DL Manager / AV Scanner Functionality

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 22:51:59 EDT

Hangetsu : I definitely would not get rid of NoScript yet. The biggest problem with security zones in IE is that you cannot pick and choose which domains you accept content from. For example, you may want to allow cnn.com, but with IE's zones you will be mixed content, as there may be doubleclick.net stuff on the site as well.

NoScript shows you which domains are part of a site.

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 22:25:54 EDT

HA Nut : Interesting discussions! A couple more thoughts after reading some posts...

sivran: I'm not sure I would dump NoScript just yet. I haven't seen definitive evidence of how far FF 3 follows IE's Security Zones. So far, I've personally only seen file downloads and the launching of downloaded files.

I think BandHeight is on to something about FF 3 in business/office environments. Whether intended or not, FF 3 could be safer if group policy covered file downloads.

Other than the about:config entry where the AV scanning is set, has anyone read exactly how FF 3 goes about determining how to call up the AV and run the proper command(s) to actually perform the scan? I've ran FF 3 with the scanner on and off and saw no perceptible difference.

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 21:08:19 EDT

Mele20 :

said by BandHeight :

If you have a Policy for high security, it prompts the user or blocks the activity completely (Zone 3 or Zone 4, respectively). If the user chooses a less secure Policy (Zone 1 or 2), the prompting and blocking do not occur at all or are lessened.

I think you are fundamentally misunderstanding this topic.

EDIT:
By the way, once the downloaded file is tagged with a Zone 3 ADS per policy, FF is out of the picture. The prompt that a user gets when the file is executed is then received from the OS and it looks just like the prompt that a Zone 3 file downloaded by IE would look (see images in this post).

Of course, this does not apply for Zone 4 because no file is actually downloaded, so no ADS can be added and the file-blocked message comes immediately from the browser itself (thus the 2 different screen-shots in my previous post).

What are these "zones"? I don't use IE but rarely. I am a Mozilla person. I used Netscape when I got my first compter, then Mozilla, then Phoenix also and then Firebird/Firefox and SeaMonkey. I remember something called local/internet/trusted/restricted tabs in IE options. I never paid much attention to them. I kept everything in the internet tab except Spyware Blaster puts stuff in the restricted tab. I used custom settings for IE privacy from the beginning ...no slider or other junk but basically I don't use IE and would rip it out if I could. The only thing I use IE for, and the only reason to keep it around (if I could get rid of it), was for Java speedtests until the beginning of this year when I finally stopped using MSJava. I still don't allow Java on Fx. I have IE for speed tests and for the few sites that still won't work in Fx. (I also keep IE on a virtual machine that runs XP Pro SP1 for my ONLY install of Flash Player. I have it installed just so I can see how awful my ISP is now that they ditched the best speed test for a crap Flash one that cost a lot less. I never have allowed Flash on Fx or Mozilla/Seamonkey).

I thought we were talking about this:

"Reset system Internet security settings - Windows

Starting in Firefox 3: When you attempt to download an executable file (e.g., an .exe or .msi file) you may see a Firefox Downloads window with one of these messages under the filename:

* Blocked: Download may contain a virus or spyware (Firefox 3 Beta 5 image)
* This download has been blocked by your Security Zone Policy (Firefox 3 RC1 image).

This issue does not occur in Firefox 2 or earlier.

Firefox 3 may block downloads of all executable files if the Internet security option, "Launching applications and unsafe files" is set to "Disabled". [18] [19] To change this setting, open Internet Options (via Control Panel or from Internet Explorer -> Tools) and click the "Security" tab. Select the "Internet" zone, click the "Custom level..." button, then find the "Launching applications and unsafe files" setting (under Miscellaneous) and select "Prompt (Recommended)" "

»kb.mozillazine.org/Unable_to_sav···_Windows
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 21:02:57 EDT

Mele20 : Auto quote worked the next time I tried it. Every now and then it won't work. If you had bothered to do a search you would find a number threads over the years about auto quote not working for awhile or working intermittently. I meantioned out of politeness but that was lost on you.

What "feature" was added in SP2?
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 20:46:58 EDT

Ctrl Alt Del :

said by Mele20 :

Auto quote isn't working.

I understand what Bandheight said. My reply is that it is not true that Fx3 is placing ADS on downloads. It is not doing for me. Therefore, this feature does not work. Bandheight has Service Pack 3 for XP. I have SP2. Maybe Service Pack 3 is required for this to work? If so, that is another good reason to not install SP3...getting too bossy.

Your settings are insane so you may have turned them off in Internet Explorer's Internet Settings. If you're worried about this feature, you can turn it off so it acts exactly like it did before.

This feature was added in SP2, so your machine already has the framework for this feature.
--
less talk, more music

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 20:44:58 EDT

BandHeight :

said by Mele20 :

Auto quote isn't working.

I just auto-quoted. It never ceases to amaze me how many things don't work for you.

said by Mele20 :

I understand what Bandheight said.

No comment.

said by Mele20 :

My reply is that it is not true that Fx3 is placing ADS on downloads.

Really?

said by Mele20 :

It is not doing for me.

Of course not.

Please understand saying that something is not true (which makes me what by extension?) just because it doesn't work for you is insulting to say the least. I did not fabricate the FF 3 functionality (nor did anyone else in this thread for that matter), and I did not fabricate the test results and screen-shots I posted here.

Edit:

And because I can (but shouldn't have), I tested Win XP SP2, and of course as I expected, the ADS tags were added by FF 3.0 just as they were in Win XP SP3. See image above. For the record, my SP 3 tests were on XP Pro (which I failed to mention), so the tests thus far seem to validate the same functionality in SP 2 and SP3 and Pro and Home versions. This is not surprising.

FF 3.0 Adds Zone Tags In Win XP SP 2 Just Like In SP 3

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 20:15:16 EDT

Mele20 : Auto quote isn't working.

I understand what Bandheight said. My reply is that it is not true that Fx3 is placing ADS on downloads. It is not doing for me. Therefore, this feature does not work. Bandheight has Service Pack 3 for XP. I have SP2. Maybe Service Pack 3 is required for this to work? If so, that is another good reason to not install SP3...getting too bossy.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 14:34:35 EDT

BandHeight :

said by BandHeight :

Results (image posted: FF-Streams.png)

- IE7 - Added ADS; execution prompts user
- FF 3.0 - Added ADS; execution prompts user
- Opera 9.5 - Did not add ADS; execution proceeds without prompt
- GetRight 5.2d - Did not add ADS; execution proceeds without prompt

said by Mele20 :

I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....?

I know that might have been a little confusing, but c'mon ... why would I have even wasted my time with the previous post if I could only achieve those results by manually adding the ADS? Of course I didn't manually add the ADS ... the applications did (or didn't) as the case may have been. For example, when I downloaded the file with FF 3.0, the tags were automatically added based on my Policy because FF 3.0 recognizes and respects the Policy I have set (it uses the aforementioned IAttachmentExecute::CheckPolicy Method to do so) whereas Opera, for example, is Policy agnostic (thus, it does not add the Zone ADS tag).

said by Mele20 :

Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure.

None of the applications that recognize Policy react opposite your set Policy. :) They honor / respect your Policy. If you want to be insecure, the applications respect that. If you want to be secure, they respect that, too. It is your choice which Policy you set (Zone 1, 2, 3 or 4) for specific activities ... so why would FF 3.0 try to do the opposite of what your Policy dictated it to do?

If you have a Policy for high security, it prompts the user or blocks the activity completely (Zone 3 or Zone 4, respectively). If the user chooses a less secure Policy (Zone 1 or 2), the prompting and blocking do not occur at all or are lessened.

I think you are fundamentally misunderstanding this topic.

EDIT:
By the way, once the downloaded file is tagged with a Zone 3 ADS per policy, FF is out of the picture. The prompt that a user gets when the file is executed is then received from the OS and it looks just like the prompt that a Zone 3 file downloaded by IE would look (see images in this post).

Of course, this does not apply for Zone 4 because no file is actually downloaded, so no ADS can be added and the file-blocked message comes immediately from the browser itself (thus the 2 different screen-shots in my previous post).

Prompt Recieved Upon Execution of Zone 3 Tagged File DL'd with IE 7
Prompt Recieved Upon Execution of Zone 3 Tagged File DL'd with FF 3.0

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 10:00:56 EDT

Ctrl Alt Del :

said by Mele20 :

I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....?

Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure.

Firefox 3.0 for Windows now uses the same feature that Internet Explorer uses when you download a file from the internet. Firefox tags a downloaded file which then tells Windows to show the prompt. He did not add any ADS, that was Firefox that added the ADS.
--
less talk, more music

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 09:18:04 EDT

Mele20 : I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....?

Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 07:10:04 EDT

BandHeight :

said by Mele20 :

So, these features are not working for me at all.

Test 1

- OS: Win XP SP3
- Storage Filesystem: NTFS
- Policy Set To Medium (3)

I downloaded the FF 3 installation file from Mozilla using four different applications:

- IE7 SP3 - File saved as: Firefox Setup 3.0-DLIE.exe
- FF 3.0 - File saved as: Firefox Setup 3.0-DLFF.exe
- Opera 9.5 - File saved as: Firefox Setup 3.0-DLOP.exe
- GetRight 5.2d - File saved as: Firefox Setup 3.0-DLGR.exe

Results (image posted: FF-Streams.png)

- IE7 - Added ADS; execution prompts user
- FF 3.0 - Added ADS; execution prompts user
- Opera 9.5 - Did not add ADS; execution proceeds without prompt
- GetRight 5.2d - Did not add ADS; execution proceeds without prompt

Test 2
- OS: Win XP SP3
- Storage Filesystem: NTFS
- General Policy Set To Medium (3) But FF Download Site Added To Restricted Zone (High - Zone 4)

I downloaded the FF 3 installation file from Mozilla using two different applications:

- IE7 SP3 - File saved as: N/A
- FF 3.0 - File saved as: Firefox Setup 3.0-DLFF-Restricted.exe

Results (images posted - IE7-DLDenied.png and FF-DLDenied.png):

- IE7 SP3 - Clicking the download link immediately alerts user with messsage box, "Your current security settings do not allow this file to be downloaded".

- FF 3.0 - Clicking the download link presents "Save As ..." dialog and then launches the FF DL Manager after clicking "Save". However, the FF DL Manager halts the download, and the DL Manager listing shows the file name with the following message: "This download has been blocked by your Security Zone Policy -- mozilla.org".

By the way, the file and partial file are left on the file system; file size of each is zero bytes (that probably needs to be cleaned up automatically?).

FF-Streams.png
IE7-DLDenied.png
FF-DLDenied.png

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 06:02:20 EDT

Mele20 : I took the time just now to install Avira free on Fx3 on my virtual XP machine. I left the dangerous download setting for IE. I changed the setting for browser.download.manager.scanWhenDone back to true. Avira wouldn't let me play with Eicar at all..not even the zip ones. So, I instead downloaded a couple of applications and Fx never tried to start my AV, never tried to stop me from downloading because I have those unsafe settings for IE, never warned me about anything to do with the downloads. I checked them for ADS and there is no ADS tagging. I even tried opening the file directly from the download manager (instead of going to the containing folder as I ordinarily would so I could scan it) and Fx let it open directly and this was while IE has the bad settings enabled.

So, these features are not working for me at all.

Oh, so far Fx3 on the XP virtual machine is working fine...I still have no idea what was the matter last night.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 05:37:34 EDT

Mele20 : I haven't done it. I want the spell checker to stay turned off until I want it. I don't want to do without a spell checker entirely. So, I've been undecided about what to do.

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 05:23:34 EDT

Grail Knight : Did that user.js spelling setting work for you?

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 01:50:38 EDT

Mele20 : Thank you for the link to the bug report. :) That was very interesting reading.

I still don't get it because there are no ADS on downloads from Fx3. I just downloaded Eicar, both the .exe and one of the zips, and saved them to my downloaded programs folder. Then I right click scanned them for ADS and they have none. I ran them both and Fx didn't popup any warning. I have no AV installed at the moment on this XP Pro guest machine so I was able to download the .exe one which ordinarily my AV would stop me before the download started. So, where are these ADS tags from Fx? They are not on any downloads. This Streams Shell Extension finds other ADS so I have no reason to think that Fx has somehow managed to hide the ADS from this extension. (I have not yet tried to install the extension on Vista. It may not work there). I suppose I can grab one of my myriad of programs (off my host...easy to do with XP...Vista is one huge headache for grabbing files on the network) that find ADS and run one of them in case Streams Shell Extension is somehow missing these. Ieven changed the settings in IE8 to allow unsafe downloads an Fx3 doesn't object to my running eicar.com or opening the eicar zip files. So, evidently, this feature is not working in Fx3.

Oh, btw, Fx3 works fine today on my guest XP machine. :) I'm on it now. It loaded all tabs very rapidly and blazes at Mozillazine forums. It loaded a preview of a post there so fast I was amazed and also posted it and then took me to the post incredibly fast. So, I have no idea what was wrong yesterday. I shut that machine down last night and booted it up again a little while ago. Maybe Windows needed restarting for some unclear reason. I'm going to use this machine now for awhile and see if, after a few hours, it happens again or not.

edit: I shut down IE with the risky setting still in place. Just now, I started IE8 again and got a gigantic warning telling me not to surf the internet with such a risky setting. So, why is Fx not reacting to that change? I don't think it is working on Fx unless Eicar files are exempted from the ADS?

--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Mon, 23 Jun 2008 00:35:32 EDT

OZO : If Firefox 3 honors Windows Security Zones, does it honor configuration settings related to them as well?

To turn off creation of :Zone.Identifier ADS's for downloaded files there are several well known ways:
• Run registry file containing:


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

• Run gpedit.msc and go to User Configuration | Administrative Templates | Windows Components | Attachment Manager and enable Do not preserve zone information in file attachments policy.

If you do so - IE will not make those ADS.

Now, what about FF.3?
Are those guys developing FF real professionals or just amateurs? ;)

--
Keep it simple, it'll become complex by itself...

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 23:57:18 EDT

Mele20 :

said by vicks :

said by Cudni :

it is good to be sure, what happens when you click to download .exe in FF 2 ?

You didn't understand what is Windows Security Zone. :)
Try these steps:
1. download an exe with Firefox 2
2. save to disk
3. run it
result: when you run it, no warning is shown because the file has not marked by an alternate data stream

Since XP SP2, Internet Explorer 6 marks all downloaded files by an alternate data stream which tells it comes from Internet zone and so Windows shows this warning:

What about those of us who have a Shell extension that removes ALL Alternate Data Streams? I would never allow any ADS on any file. I immediately right click check any file I download for ADS and the extension removes the ADS. Viruses and other crap can hide in ADS. Why would Microsoft be so stupid as to use a known hiding place for malware to mark a file? UGH. (I don't know if the Shell extension works on Vista. I think I will try and see. I have downloaded almost nothing to Vista. I just grab from the network what I need).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 13:59:59 EDT

La Luna :

said by Mele20 :

...But there is no Spellbound extension for Fx3 and I cannot turn off the spell checker even though the box to use it in Options/advanced is unchecked. I also cannot turn it off on the Vista machine. I have to right click uncheck the "check spelling" box every time I go to make a post. Then when I preview the post and want to change something, add something, the spell checker has been turned back on. It is awful. It is like a leech that cannot be dislodged....

Turning off spellchecker is one of the first things I did, and I haven't seen it since, it has stayed turned off, and the box is still unchecked 5 days later.
--
11,302 DEADLY TERROR ATTACKS SINCE 9/11~~SARAH BRIGHTMAN SYMPHONY WORLD TOUR

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 13:25:29 EDT

Grail Knight : Semantics are very important when discussing computers and software. I am not being nitpicky with you. When I was working and I went to a customers house I bet I spent more time trying to figure out what they were talking about vs time spent fixing their computer.
--------------------------------
Just put this in the user.js in your Profile Folder and it will disable the spellchecker. Restart Fx when done. You will have to create the user.js file.

user_pref("layout.spellcheckDefault", 0);
-----------------------------------------
I did not say that Fx could not run on Virtual Machine they will run but oft times in Fx you lose some functionality. You have seen this yourself.

Look at a software package and it will say something like this:

Works with:

Win95
WinXP
Vista

Hypothetically if also were to say a virtual drive then I know the developer has tested it fully in this environment. I have nothing against a virtual install I run some games from a virtual drive so I do not have to swap out discs but there are a couple that refused to work right.
---------------------------------------------
IE allowing something to run is not inherently dangerous. It is the user that is dangerous much of the time by not paying attention to what they are doing or blowing through things clicking away not paying attention. You know you can have IE set to download and notify when done but it will not run the program without user intervention and can even be notified before the download begins. It is all about knowing what you (not you in particular) are doing and how your setting up IE.

In all these years I have had zero issue downloading in IE or having something Run without me initiating it. A good AV is going to catch anything or it is supposed to.

Edit* Cleaned up spelling and layout.

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 11:42:54 EDT

Cudni :

said by vicks :

You didn't understand what is Windows Security Zone. :)
Try these steps:
1. download an exe with Firefox 2
2. save to disk
3. run it
result: when you run it, no warning is shown because the file has not marked by an alternate data stream

I understood perfectly which is the part you missed :)

Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 11:31:19 EDT

BandHeight :

said by Mele20 :

That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap.

Do you think I just made that up? That I dug through the MSDN and picked that article at random?

It is exactly relevant because that is the interface at the core of the issue being discussed.

MS did not tell FF users how to handle downloads. They provided a programming interface that the Mozilla team chose to use.

Please see this bug report where the idea to use IAttachmentExecute was initially introduced for FF 3, specifically Firefox 3 beta4 (see especially comments 8-15):

»https://bugzilla.mozilla.org/show_bug.cgi?id=408153

Also, for Cudni and the rest following the discussion about where this behavior originally appeared in Windows products and to get a glimpse at (some) of the original thinking on possibly using the IAE interface in FF (goes back to 2004):

»https://bugzilla.mozilla.org/show_bug.cgi?id=236771

said by Mele20 :

As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked ...

Of course it is. I wouldn't have expected you to describe a successful user-experience.

But those of us who have it running perfectly on multiple OSes (even without the unbelievable amount of changes you claim must be made for it to be "usable"), we will just continue on.

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 10:35:25 EDT

anon :

said by Cudni :

it is good to be sure, what happens when you click to download .exe in FF 2 ?

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 10:20:34 EDT

Cudni : it is good to be sure, what happens when you click to download .exe in FF 2 ?

Cudni

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 10:15:36 EDT

anon :

said by Cudni :

are you sure?

yes I'm sure. All downloads in Firefox 2 are NOT marked with an alternated data stream (Windows Security Zones), so when the user clicks on an exe saved by Firefox 2, no warning is received. This feature is just added only with Firefox 3.0. IE6 has this feature since WinXP SP2 :) Mozilla is in late!!!!!!!!!!!!!!!!!!!!!!!

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 10:09:35 EDT

Mele20 : Yeah...that is Fx3 going backwards. In earlier versions you could not run it rather your ONLY choice was to download to disk in the obvious hope that the user would then scan it with their AV before running it. I suppose Fx3 changed it because the user's AV will be forced to scan it by Fx after downloading and before running. Of course, the user will just turn that off in preferences ...just as they ran it after downloading to disk in earlier versions without having their AV scan it.

You can lead a horse to water but you can't force it to drink. Same with people. I don't think any of this "forcing" should be happening. None of these things should be by default. (I recall all the brouhaha surrounding the decision some time ago to force download to disk and I was against it. I think folks should be able to choose to poison themselves if they want). There should be lots of options and then users should choose the ones they want because they are going to do that anyway. You cannot force security on users. That doesn't work. All you do is end up creating "hackers" or you lose market share as most people resent being forced to do something they don't like.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 10:05:16 EDT

Cudni :

said by vicks :

... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! :)

are you sure? FF 3.0 first version you are using?

Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 09:57:04 EDT

anon :

said by Mele20 :

IE has always been very unsafe as far as downloads go as you can RUN the download.

Since Windows XP SP2, when you run a file downloaded via IE6, the user receives a warning about it...
... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! :)

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 09:25:45 EDT

Mele20 : It is semantics that plagues you and I. ;) I don't think something is "usable" unless it works like the user wants it to work. You feel it is "usable" if you can use like it comes even though you dislike a great deal about the way it is out of the box. That's a semantics disagreement about what the word "usable" means. We are both right or both wrong as the answer is based on how a person defines "usable".

My extensions work fine. But there is no Spellbound extension for Fx3 and I cannot turn off the spell checker even though the box to use it in Options/advanced is unchecked. I also cannot turn it off on the Vista machine. I have to right click uncheck the "check spelling" box every time I go to make a post. Then when I preview the post and want to change something, add something, the spell checker has been turned back on. It is awful. It is like a leech that cannot be dislodged. The new TBE extensions are ok but the auto hide doesn't work right and I had to turn that off. I have three extensions where I have one for 1.5. I have the awesome bar fixed and I don't have to hassle with getting rid of the favicons like my friend just did and sent me the rather convoluted fix because I installed CookieSafe and it now, with the latest version, blocks all those myriad of third party favicon cookies.

I don't understand your comment about IE and downloads. IE downloads are dangerous because IE does not stop you from running the download. Fx is far superior in this regard so there is no need for Fx to go begging to IE about some Windows standards that Microsoft doesn't even have. As for the anti virus being hijacked by Fx3, of course, I turned that off. Why would you think I wouldn't? I had not encountered the behavior because I don't run AV on my virtual machines...(well, I will be running one on the Vista one because it is the inferior Microsoft Virtual PC which has no ability to take snapshots or clone).

Where did you get the idea that Fx cannot run on virtual machines? If true, that would set Fx back eons. I fired up my virtual machine that has Fx2 on it and it loads all sites rapidly. There is no problem with VMWare. It's something with Fx3. As I said, I have done a great deal of "tweaking" as you call it ...I call the same thing making the browser "usable" and probably something I did borked it. I have IE 8 on that machine and it has lots of problems so trying it to see if it could be something with that XP Pro install (rather than Fx2) isn't much help. I don't think I installed Opera on that machine. The virtual machines have a fixed size hard drive which is small so I can't put a lot on them. That is one nice thing about MS Virtual PC..I can change the size of the hard drive on the fly or add more hard drives if I want.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 08:21:53 EDT

Grail Knight :

quote:
Who knows what I did of the myriad of pref changes, etc. that borked it. I am just stunned at how much has to be changed in Fx3 to make it usable.

Are you going to start this again? You said the same thing about Fx v2 that was disputed and never gave a straight answer as to what exactly you had to change to make it usable. I install Fx v3 and start it right up and used it. That is uable to me. Tweaking comes afterword.

Other then your usual complaints of favorite extensions not working, no spellbound because the dev made the excellent inline one, and the awesome bar of which I posted tweaks to disable it months ago what else is wrong?

Problems with Fx v3 and VM should be asked of the VM devs. I see no notes saying Fx v3 is made to run on a virtual drive.

Delete it and start over. You certainly have time.

quote:
Besides, IE has always been very unsafe as far as downloads go as you can RUN the download.

Is that not the goal to run a program after you download it unless you are archiving something? Certainly by now you should know how to right-click save to hard drive and not have it run without user approval.

Edit* Closed up spacing and consolidated comments

Edit* If you even follow the link the OP posted you will see that the AV can be disabled. Did you read down that far on the page?

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 08:00:44 EDT

Mele20 :

said by BandHeight :

Well, the download / execute policy setting, though identified by MS as an IE setting in some of the GUIs where the policy can be changed, is actually a policy of the OS that was intended to be followed by other clients (email apps, browsers, etc.) that run on the system.
Yes, Mozilla could have opted to not use that particular interface, but they seem to have their sights on business / office environments where admins expect the policy to be respected by installed software.

I have no real problem with them respecting the settings, but they did not really provide an elegant solution for the user to ignore the policy when desired. Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy.

Well, what will likely happen (per the usual progression) is that we'll be using FF 5 and you will, by then, have switched to FF 3. Why not just give your heart to it now instead of playing so hard to get all the time. :)

That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap.

As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked (although who knows it might work tomorrow). It can't load any pages...it tries and never finishes loading any site. Who knows what I did of the myriad of pref changes, etc. that borked it. I am just stunned at how much has to be changed in Fx3 to make it usable. I thought Fx2 had to have too many changes but it pales next to Fx3 and all the changes that must be made. Fx 1.5 is almost pefect right out of the box. I haven't booted my Vista virtual machine today so I don't know if Fx3 is ok on it or not. I booted up the virtual machine that has Fx2 and it loads pages just fine so it not some problem with VMWare rather something I did must have really messed Fx3 up and I've changed so much I'll probably never be able to figure out what is the culprit.

1.5 is worked so hard by me and I usually have 50 or more tabs open, have over 150 saved tab sessions, been using the same profile for a long time and yet it just keeps going and TBE Tree view works perfectly on it. The new TBE (that is split now into several extensions) on 3 has some problems and isn't like the old TBE. 1.5 uses Spellbound. That awful crap spell checker in 3 drives me nuts. I have it unchecked in options yet it still insists on checking the spelling. I hate it. I want Spellbound. I only see a need to upgrade some machine of mine to 3 because I am afraid my banks will stop supporting 1.5. They don't work with Opera and I hate to have to use IE6.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 05:57:00 EDT

BandHeight :

said by Mele20 :

I don't think Fx has any business following some setting in IE. That makes no sense to me. They are COMPLETELY SEPARATE browsers and should have nothing in common.

Well, the download / execute policy setting, though identified by MS as an IE setting in some of the GUIs where the policy can be changed, is actually a policy of the OS that was intended to be followed by other clients (email apps, browsers, etc.) that run on the system. See the MSDN article on IAttachmentExecute::CheckPolicy Method here:

»msdn.microsoft.com/en-us/library···85).aspx

Yes, Mozilla could have opted to not use that particular interface, but they seem to have their sights on business / office environments where admins expect the policy to be respected by installed software.

I have no real problem with them respecting the settings, but they did not really provide an elegant solution for the user to ignore the policy when desired. Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy.

said by Mele20 :

As for forcing your AV to scan your download that also is not a good idea.

At least it has an about:config option that can be changed. I don't really care what the default is.

said by Mele20 :

These are reasons why I continue to use Fx 1.5 on my host computer. I don't need Mozilla pulling a Microsoft and trying to boss me around. :(

Well, what will likely happen (per the usual progression) is that we'll be using FF 5 and you will, by then, have switched to FF 3. Why not just give your heart to it now instead of playing so hard to get all the time. :)

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 05:56:20 EDT

sivran : I'm more annoyed about the launching a virus scan when done "feature."

It's the responsibility of the AV app to scan files upon their creation, and the user to tell it to (or not to) do so. If I don't want a file to be scanned on creation, that's between me and my antivirus software. What's next, FTP clients that do spyware scans? Feh.

Honoring IE Security Zones however I find quite interesting and not a bad idea at all. NoScript? Heh, no need - add to trusted sites! Or if you don't trust it quite THAT much, move from Restricted to Internet zone.

And, I notice yet again, stuff that should be optional is left out of the options dialog, forcing the user to go to about:config. This is supposed to be a browser for the masses?

If this were SeaMonkey, there'd be a checkbox for both of these features, conveniently located in an intuitive place in the preferences dialog.
--
Think outside the fox...Seamonkey

Re: Firefox 3 honors Windows Security Zones...

Sun, 22 Jun 2008 04:10:03 EDT

Mele20 : Thank you for the article.

I don't think Fx has any business following some setting in IE. That makes no sense to me. They are COMPLETELY SEPARATE browsers and should have nothing in common.

As for forcing your AV to scan your download that also is not a good idea. I can just see all the problems that are going to happen because of this when Fx has the wrong path to the scanner, etc. and since this is brand new in Fx3 users won't even suspect this as the causen for their problem as they won't know that Fx is forcing scanning after download.

These are reasons why I continue to use Fx 1.5 on my host computer. I don't need Mozilla pulling a Microsoft and trying to boss me around. :(
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Re: Firefox 3 honors Windows Security Zones...

Sat, 21 Jun 2008 10:40:34 EDT

Cudni : Thanks for the article, also found this that
Disable virus scanning in Firefox preferences - Windows
browser.download.manager.scanWhenDone is set to true as default

Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008

Firefox 3 honors Windows Security Zones...

Thu, 19 Jun 2008 13:02:36 EDT

HA Nut : While running FF 3.0, I decided to download an EXE file. But when I did, a warning came up and told me "This download has been blocked by your Security Zone Policy". I thought this was strange since the only Security Zone Policy I had set in place should have affected IE only.

So I went on the hunt, Googled for more info and found this. Some of you may find this helpful if you have IE locked down and FF 3.0 won't download files...
»kb.mozillazine.org/Unable_to_sav···_Windows