Firewall leak tests - Why not on Firefox or Moz

Hi,

Just ran some leak tests at firewallleaktester.com.

Most programs tried to access the net thru ie, even though I have firefox as my default browser. So as long as I deny ie outbound access, I seem to be safe.

However, I believe my sense of security may be misleading since I have disabled ie outbound access in my firewall (Kerio 2), and enabled firefox outbound access (so it doesn't prompt me when it wants to access the net, just logs the action).

Is this correct: that actually I am just as susceptible to a leak with firefox and I should disable the firefox outbound access and let the firewall prompt me when firefox wants to access the net?

Or is the hole with ie?

Thanks

 

Many leaktests can work with firefox but IE has a couple more "features" that can be exploited (like hidden windows, used by TooLeaky). The leaktests using process manipulation (DLL injection, code injection, etc) should function with any browser and the tests should use the "default" browser on your system. Try closing all browsers and then clicking on a link (e.g. in an email) just to check that Firefox is set up as the default on your system - IE has a habit of trying to reinstate itself unless you disable it via Control Panel/Internet Properties/Programs - clear the "Internet Explorer should check..." box at the bottom.

For a firewall to pass a leaktest, it should detect that something is amiss with the browser (e.g. that another process is trying to start Firefox or that the Firefox process has been altered in some way).

 

I have completely removed iexplore.exe from my system, replaced IE with Maxthon so I can still do WU, and even browse the occational site with an IE based browser. I use Firefox for normal usage.

IE allows programs to proxy through IE as IE traffic, its a feature in their eyes, and its a huge security hole for everyone else unless controlled by some kind of sandboxing. At any rate, I removed the default ability for programs to proxy through IE by removing the program period. However leaktests are bs as they don't tests firewalls for the most part, and they are using windows/IE exploits, for the most part most don't even have any direct interaction with the software firewall. Some even give false positives when they have been defeated...

 

sphinx-soft.com has a hijack (dll injection) leaktest that will 'hijack' any program that's running. As far as why, what other single piece of software does every Windows user have?

BlitzenZeus: Does it need to actually start the IE executable to let other progs proxy through it? ie, would it be sufficient to block it with something like PG, or does it still use the IE core?

Also, I agree with your take on the leaktests, and have been looking for a tool to easily test all of the normal functions that a complete firewall should have.. do you know of anything like that? Seems to me that something like that would be of greater value.

 

My understanding is that Maxthon needs IE to be installed on the system to function at all:


http://www.maxthon.com/en/support/faq.htm#requirement


Minimum Requirements
100MHz CPU
32MB RAM
4MB Free Hard Disk Space
Microsoft Windows98
Microsoft Internet Explorer 5.5

Recommended System Configuration
800MHz CPU
256MB RAM
64MB Free Hard Disk Space
Microsoft 2000/XP/2003 or Above
Microsoft Internet Explorer 6.0 or Above

Is there some way around this requirement to have IE installed and still be able to use Maxthon?

 

While Maxthon is an IE shell browser, it doesn't lend the capability for programs to proxy through it like IE itself does. It just uses the IE core files which are part of the operating system, and you can't really uninstall IE anymore these days as many programs need the IE core files to work. If they had never made IE part of the operating system years ago, this would not be as big as a problem that it is, as many people would not have it installed.

 

@ BlitzenZeus:
So as not to pull the thread off topic, I'll just thank you here for the explanation.
I'll pursue the questions I have regarding uninstalling IE in a more appropriate forum.

 

Hi,

leaktests are targetting IE because they are only demonstrations, not trojans, and almost everyone has IE. So you have less code to do, less checks, it's easier (the purpose is to demonstrate something, not to code a full real trojan).

However as said above, a leaktest could target any browser.

Regards,

gkweb.

 

Hi,

Guess that's the problem. Disabled IE and then enabled Firefox so that I don't need to continually agree to let Firefox out - thought that was safe, until I realised that whatever could be done to IE, could be done to Firefox too!

The misperception arose because even tho' I have Firefox as the default browser, the tests always seem to call up IE, except for 'Firehole'.

Cheers.