Saturday, September 20, 2014

Mitigating Recent Firefox and ABE Annoyances

Last weekend I went on and on about recent changes to Firefox that included some “safebrowsing” features and particularly how it seemed to be getting in the way of downloading some binaries from NirSoft (as an example).

This week I saw notice from the Firefox Extension Guru that a minor update was released.

I’m always looking to keep my web browsers current on their patching for security reasons, but I was also curious if it would address the crazy behavior I blogged about.

Sure enough, once the update was applied and Firefox rebooted, I could now download the particular PasswordFox zip file without any more blocking/malware messages.

I checked the Firefox Release Notes (32.0.2) carefully but didn’t seem to find any reference to safebrowsing. I also checked my about:config and did NOT find the “browser.safebrowsing.appRepURL” key present either.  So the current possibilities stand thusly,

  • The 32.0.2 update fixed something that wasn’t documented in the release notes.
  • Something on Nir Sofer's side/site changed to allow the download/site to be seen as legit, or
  • Something changed in Google’s Safe Browsing application reputation database that now allowed Nir Sofer's site and/or some apps to now be considered legit/safe, or
  • Magic.

I really can’t weigh any one as more probable than the other and I’m really leaning towards the last one as Lavie and I are re-reading the Harry Potter books again together.

Honestly Annoying ABE

Another annoyance I have been struggling with recently is NoScript Security Suite Add-On for Firefox. Overall I love it and use it to help protect my system during web-browsing since I haven’t quite yet felt brave enough to install and use Malwarebytes Anti-Exploit on my “production” system though the recent v1.04.1.1012 release seems to be working much better than the previous version.

(FYI on my Win 7 test-bench VM system Malwarebytes AE is coupled with The Enhanced Mitigation Experience Toolkit (EMET 5.0), GlassWire firewall, and AVG Free Antivirus 2015 and all four seem to play well with each other.)

I think I am generally a pretty savvy NoScript user but recently (arising in the past 2-3 weeks?), hyperlink jumps from either Google search results or The Portable Freeware Collection to NirSoft domain pages have met with a NoScript ABE block. That’s been very annoying.

Mozilla Firefox_ABE

I’ve been able to work around them by either temporarily disabling ABE inside NoScript, or copying the URL to NirSoft and then opening a new tab and pasting the link in and going manually. Neither is great and sometimes I even got an ABE rule block when downloading a NirSoft zip file from the product page.

I shot an email to the NoScript developer but haven’t heard back. I could have dropped some feedback in the forums but it wasn’t that big a deal.

This morning I did a bunch more research and experimentation with custom ABE rule sets and cobbled together something that allows the hyperlink jumps to NirSoft from The Portable Freeware Collection site to not trigger an ABE alert/block rule; and as a bonus, allow the link jumps to NirSoft in Google to work as well.

Now, I’m still not 100% sure what these changes are doing, so I might be making things tons worse (browser security-wise) than not having anything at all, but I’m putting it out there as a starting point and for discussion if any ABE rule pros want to chime in and help me improve it:

The default “System” Ruleset in ABE is something like this:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

The default “USER” Ruleset is effectively blank.

# User-defined rules. Feel free to experiment here.

I tried a combination of ruleset options under both User or System but this was the one I cobbled together under “System” that got things unjammed. I did add the (redundant) commenting just because I may forget what I meant to do later. It’s ugly and probably fundamentally flawed at protecting the system just to get hyperlinks to NirSoft domain working from other sites, but it’s a noobie’s start.

# Prevent Internet sites from requesting LAN resources.

Site LOCAL
Accept from LOCAL

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Site http://nirsoft.net/
Accept POST SUB from SELF http://nirsoft.net/
Accept GET
Anonymize

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
# And strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains,

Site http://portablefreeware.com/
Accept POST SUB from SELF http://portablefreeware.com/
Accept GET
Anonymize

Deny

As I understand from the documentation, the rule(s) are read from the top down. I’ve also added some line breaks just to keep it more legible.  Putting “Deny” after each rule-set caused it to stop working and it would again just block hyperlink jumps to NirSoft domain.

Putting the “extras” under “User” didn’t work either.

And here is the pile of link references I read through to come up with the above.

Comments and (gently) recommended corrections/refinements are welcome and appreciated!

Cheers,

--Claus Valca

4 comments:

FF Extension Guru said...

"Magic" sounds like a good explanation to me as well.

Bruce C. said...

You've got the ABE stuff about right. If you put deny without a list of sites, it will deny everything that wasn't allowed before that point, which is why mixing in the deny didn't work. Similarly, the #User block didn't work because it runs after the #System block, and the system block contains the "deny".

Claus said...

@ Bruce C. - Thank you for the confirmation and taking the time to leave an additional explanation.

I hadn't picked up that the System rules took precedence over the User rules. I guess I expected them to work concurrently.

Your information really helps!

Cheers.

--Claus V>

FF Extension Guru said...

Okay, may be not magic afterall. According to ghacks.net, Nir did make some changes to his software to prevent from being banished by some AV Software and the all mighty Google.