Firewall leak tests - Why not on Firefox or Moz

Discussion in 'other firewalls' started by JayTee, Nov 25, 2004.

Thread Status:
Not open for further replies.
  1. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Hi,

    Just ran some leak tests at firewallleaktester.com.

    Most programs tried to access the net thru ie, even though I have firefox as my default browser. So as long as I deny ie outbound access, I seem to be safe.

    However, I believe my sense of security may be misleading since I have disabled ie outbound access in my firewall (Kerio 2), and enabled firefox outbound access (so it doesn't prompt me when it wants to access the net, just logs the action).

    Is this correct: that actually I am just as susceptible to a leak with firefox and I should disable the firefox outbound access and let the firewall prompt me when firefox wants to access the net?

    Or is the hole with ie?

    Thanks
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Many leaktests can work with firefox but IE has a couple more "features" that can be exploited (like hidden windows, used by TooLeaky). The leaktests using process manipulation (DLL injection, code injection, etc) should function with any browser and the tests should use the "default" browser on your system. Try closing all browsers and then clicking on a link (e.g. in an email) just to check that Firefox is set up as the default on your system - IE has a habit of trying to reinstate itself unless you disable it via Control Panel/Internet Properties/Programs - clear the "Internet Explorer should check..." box at the bottom.

    For a firewall to pass a leaktest, it should detect that something is amiss with the browser (e.g. that another process is trying to start Firefox or that the Firefox process has been altered in some way).
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I have completely removed iexplore.exe from my system, replaced IE with Maxthon so I can still do WU, and even browse the occational site with an IE based browser. I use Firefox for normal usage.

    IE allows programs to proxy through IE as IE traffic, its a feature in their eyes, and its a huge security hole for everyone else unless controlled by some kind of sandboxing. At any rate, I removed the default ability for programs to proxy through IE by removing the program period. However leaktests are bs as they don't tests firewalls for the most part, and they are using windows/IE exploits, for the most part most don't even have any direct interaction with the software firewall. Some even give false positives when they have been defeated...
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    sphinx-soft.com has a hijack (dll injection) leaktest that will 'hijack' any program that's running. As far as why, what other single piece of software does every Windows user have?

    BlitzenZeus: Does it need to actually start the IE executable to let other progs proxy through it? ie, would it be sufficient to block it with something like PG, or does it still use the IE core?

    Also, I agree with your take on the leaktests, and have been looking for a tool to easily test all of the normal functions that a complete firewall should have.. do you know of anything like that? Seems to me that something like that would be of greater value.
     
  5. aagfr

    aagfr Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    56
    My understanding is that Maxthon needs IE to be installed on the system to function at all:


    http://www.maxthon.com/en/support/faq.htm#requirement


    Minimum Requirements
    100MHz CPU
    32MB RAM
    4MB Free Hard Disk Space
    Microsoft Windows98
    Microsoft Internet Explorer 5.5

    Recommended System Configuration
    800MHz CPU
    256MB RAM
    64MB Free Hard Disk Space
    Microsoft 2000/XP/2003 or Above
    Microsoft Internet Explorer 6.0 or Above

    Is there some way around this requirement to have IE installed and still be able to use Maxthon?
     
  6. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    While Maxthon is an IE shell browser, it doesn't lend the capability for programs to proxy through it like IE itself does. It just uses the IE core files which are part of the operating system, and you can't really uninstall IE anymore these days as many programs need the IE core files to work. If they had never made IE part of the operating system years ago, this would not be as big as a problem that it is, as many people would not have it installed.
     
  7. aagfr

    aagfr Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    56
    @ BlitzenZeus:
    So as not to pull the thread off topic, I'll just thank you here for the explanation.
    I'll pursue the questions I have regarding uninstalling IE in a more appropriate forum.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    leaktests are targetting IE because they are only demonstrations, not trojans, and almost everyone has IE. So you have less code to do, less checks, it's easier (the purpose is to demonstrate something, not to code a full real trojan).

    However as said above, a leaktest could target any browser.

    Regards,

    gkweb.
     
  9. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Hi,

    Guess that's the problem. Disabled IE and then enabled Firefox so that I don't need to continually agree to let Firefox out - thought that was safe, until I realised that whatever could be done to IE, could be done to Firefox too!

    The misperception arose because even tho' I have Firefox as the default browser, the tests always seem to call up IE, except for 'Firehole'.

    Cheers.
     
Loading...
Thread Status:
Not open for further replies.