Firefox copies from IE??

[sopadeajo]

Firefox 3 aprovecha una opción de seguridad de Internet Explorer
 ----------------------------------------------------------------

En un movimiento cuando menos curioso, Firefox 3 bajo Windows se
aprovecha de una de las mejores (y a la vez más desconocidas)
funcionalidades de Internet Explorer: las zonas de seguridad. De hecho,
Firefox 3 se aplicará a sí mismo una opción de la configuración de las
zonas de seguridad de Internet Explorer, de forma que si no se confía
en un dominio para descargar ejecutables en el navegador de Microsoft,
Firefox 3 tampoco permitirá la descarga.

Internet Explorer permite clasificar las páginas (los dominios) en
distintas zonas. Las zonas son una clasificación lógica que hace el
navegador de las distintas páginas que se visitan. A cada zona (que se
puede ver como un conjunto de dominios) se le permiten ciertas licencias
sobre el sistema, o ejecución de cierto tipo de código del lado del
cliente según la zona donde quede adjudicado cada dominio. Esto permite
clasificar de forma eficiente las zonas confiables o peligrosas y
ejercer cierto control sobre el sistema según los escenarios a los que
nos enfrentemos. Así, se puede limitar la ejecución de ActiveX a un
cierto número de páginas confiables, permitirlo en todas menos en una
lista conocida, permitir la descarga sólo desde ciertos dominios...
Las zonas de Internet Explorer son una herramienta injustificadamente
ignorada en general por los usuarios... pero no por Firefox 3.

Los usuarios de Firefox que hayan configurado sus zonas de Internet
Explorer de forma saludablemente paranoica, se encontrarán con que, por
ejemplo, no podrán descargar con Firefox 3 ejecutables desde algunas
páginas. Firefox emitirá el siguiente error:

This download has been blocked by your Security Zone Policy (Esta
descarga ha sido bloqueada por la política de seguridad de las zonas).

Y, por mucho que los usuarios busquen la opción que se lo permita en
la configuración del propio Firefox, no lo descargará hasta que no se
modifique la configuración de las zonas de Internet

En concreto, se vale de una directiva existente en Internet Explorer 7
a la hora de configurar profusamente las zonas de seguridad: "Ejecutar
aplicaciones y archivos no seguros". Esta directiva permite elegir si
se va a "bloquear", "permitir" o "preguntar" al ejecutar o descargar
archivos desde un dominio catalogado en una zona concreta. Por defecto
está configurado para "preguntar", pero si un usuario eleva la seguridad
de su "zona de Internet" (sitios desconocidos, habitualmente), esta
opción bloqueará por defecto todas las descargas y ejecuciones de
archivos de los dominios que no estén en la zona de "sitios de
confianza" (una especie de lista blanca). Y ahora no sólo en Internet
Explorer, sino también en Firefox 3 bajo Windows.

Este aprovechamiento de funcionalidades ajenas podría ser visto como un
movimiento de Mozilla orientado hacia el entorno corporativo. Uno de los
argumentos que Microsoft ha esgrimido siempre a favor de su navegador es
que Internet Explorer, en un entorno corporativo (con Directorio Activo
y numerosos sistemas) es muy configurable por políticas de forma cómoda,
pudiendo de un solo golpe de ratón asegurar por ejemplo las zonas en
todos los puestos de trabajo. Con este movimiento, aprovechando la
configuración de IE, Firefox facilita su aceptación en un entorno
corporativo, que sufre de problemas y necesidades mucho más complejas
que las del usuario medio. La necesidad de compatibilidad y posibilidad
de configuración remota, granular y masiva suele ser lo más valorado por
los administradores de grandes sistemas.

Opina sobre esta noticia:
http://www.hispasec.com/unaaldia/3560/comentar

Más información:

Reset system Internet security settings - Windows
http://kb.mozillazine.org/Unable_to_save_or_download_files#Reset_system_Internet_security_settings_-_Windows

Firefox 3 Follows IE7's Security Settings
http://blog.washingtonpost.com/securityfix/2008/07/firefox_3_follows_ie7s_securit_1.html


Sergio de los Santos
ssantos@hispasec.com


Sorry, I have problems to translate it with Firefox translator add-on. Avast forum is asking me to log in, but i already am, and NoScript add-on tells me that it could be a case of cross-scripting, and no translation got. Anybody else will be able to post a link with the english translation.


Edited: Here it is:

http://64.233.179.104/translate_c?u=http%3A%2F%2Fforum.avast.com%2Findex.php%3Ftopic%3D37319.0&langpair=es|en&hl=es&ie=UTF8

I had to wait till my comment was posted, and then translate it

[FreewheelinFrank]

http://blog.washingtonpost.com/securityfix/2008/07/firefox_3_follows_ie7s_securit_1.html#comments

It's just Firefox respecting the settings you have in Security Center (assuming you're using Windows, of course).

[sopadeajo]

"Firefox 3 also by default scans all downloaded files with any anti-virus software installed on the host machine. Mozilla notes that "in some cases, this may cause a substantial delay in saving the downloaded file." Incidentally, this feature did not appear to invoke the anti-virus scanner installed on my test PC (NOD 32), but your anti-virus software may behave differently.

Firefox 3 users can disable the automatic virus scanning of downloads in Firefox 3 by typing "about:config" in the address bar, scrolling down to the "browser.download.manager.scanWhenDone" listing and setting it to "false". "


I did not know this. Do this happen with Avast? Does Firefox ask Avast scanner to check every downloaded file?

[sopadeajo]

Reading some Firefox documents, i learned this:

firefox is using Microsoft malware detection
facility for virus scan.

So, if Microsoft accepts an antivirus, it will be used (called by Firefox) to scan on downloads.

I think this is a good thing, but it should be widely known.

Could any Avast developer confirm that Avast under Windows and Firefox, is automatically asked to scan downloaded files?.... cause you do not need to scan again, as i used to do, before running them if they are executables.

[DavidR]

"Firefox 3 also by default scans all downloaded files with any anti-virus software installed on the host machine.
<snip>
Incidentally, this feature did not appear to invoke the anti-virus scanner installed on my test PC (NOD 32), but your anti-virus software may behave differently.

Firefox 3 users can disable the automatic virus scanning of downloads in Firefox 3 by typing "about:config" in the address bar, scrolling down to the "browser.download.manager.scanWhenDone" listing and setting it to "false". "

It doesn't automatically scan my downloads, certainly not with avast installed and I haven't made the change mentioned. So if it truly is auto scan it obviously doesn't know what file or location to use.

The default setting to scan downloads is set in about:config but no scan takes place, so my statement above seems to be correct.

[sopadeajo]

I do have the browser.download.manager.scanWhenDone set to True (firefox 3.01) also, but i cannot say if downloaded files are checked by Avast or not, i do not know how to verify it.

See that this is a non trivial matter since you must know if there has been a antivirus scan or not.

[DavidR]

That was what I was saying that even though this is a default for some reason the firefox scanwhendone doesn't work, why is the question, but I would seriously doubt that Mozilla know every executable for every AV that would scan a downloaded file.

In the text you quoted the original poster said it didn't work with nod32 either.

If firefox is simply looking for that information in the windows security center then it won't be aware of ashQuick.exe (the same is likely to be true for many other AVs) so won't be calling it. So whilst it might be a good idea (or not) it isn't 100%.

[bob3160]

David it's working as described on my system:


Click Picture to enlarge

[Lisandro]

David it's working as described on my system:


Click Picture to enlarge

Bob I couldn't find that entry into about:config of 3.0.1 Firefox version...
Is it named completely into the picture?

[bob3160]

David it's working as described on my system:


Click Picture to enlarge

Bob I couldn't find that entry into about:config of 3.0.1 Firefox version...
Is it named completely into the picture?

Yes Tech. It's quite far down in the listing but this is a full copy of the entry.

[DavidR]

David it's working as described on my system:

That is because it is Safe Download that is responsible for the scanning and 'not' the default action of firefox 3.0.

@ Tech
That entry won't be in about:config unless you have the safe download extension installed.

[bob3160]

@ Tech
That entry won't be in about:config unless you have the safe download extension installed.

Doesn't every one use SafeDownload

[DavidR]

Obviously not

So if you temporarily disabled the AV scan, you too would find that the 'new' FF 3.0 scanwhendone option doesn't work with avast.

[Lisandro]

@ Tech
That entry won't be in about:config unless you have the safe download extension installed.

Doesn't every one use SafeDownload

I can't even find it into Mozilla Add-ons anymore...

[sopadeajo]

Reading some Firefox documents, i learned this:

firefox is using Microsoft malware detection
facility for virus scan.

So, if Microsoft accepts an antivirus, it will be used (called by Firefox) to scan on download

Well, i had understood that firefox is using malware detection facility from Microsoft to ask your default (installed) antivirus to automatically scan any downloaded file.

 It could be it uses Microsoft antivirus scan.

I have such a bad opinion of Microsoft, that i did not even consider the possibility of a Microsoft antivirus scan