Search for “privilege escalation” on the mozilla.org domain (Click here) and see how frequently bugs are found in Firefox that allow scripts on web sites any access right that Firefox has. Mozilla is quick to fix bugs, and diligent users keep up-to-date, but we can predict that some web site will leverage a Firefox bug before the user can get an update from Mozilla, and the user will allow the innocent-looking site in NoScript. This is why we use D+ to restrict access rights of a trusted application like Firefox.
Many D+ users use Paranoid Mode. These are users who tolerate the pop-ups while training D+ (many have to retrain after each CIS version update since a fresh install is often recommended), and who know enough about the Windows OS to differentiate safe actions from malware actions. Since I share my PC with an inexperienced user, I am not one of these folks. The remainder of this thread is not for users who use Paranoid Mode, who already have excellent D+ security. It is for D+ users using Safe Mode or Clean PC Mode who want to maximize Firefox security against privilege escalation vulnerabilities.
If I followed the recommendation of this thread exactly, I cannot use Firefox to download new installers/executables in the Parental Control configuration because the pop-up for the download of such protected files is suppressed. If I download executables in the Install/Uninstall configuration, I have found that D+ allows Firefox (under web site control) to download malware to any directory. See the reported issues here, here and here.
I found that D+ often over-generalizes exceptions in Clean PC Mode when the access right is set to Ask and the user allows an exception, which degrades security going forward. The work-around I found (especially for the frequently-attacked Firefox) is to set all access rights to either Allow or Block so that I have complete control over the exceptions. For maximum security, I blocked all possible Firefox access rights, adding exceptions I found in the D+ event log while browsing trusted web sites. After testing for a week, the following is the D+ custom policy I found for Firefox (if exceptions are not shown for an access right, there are no exceptions):
C:\Downloads, without execute permissions for administrators and users, is the only folder allowed for downloads of executables.
The Flash Player entry allows the Firefox’s BetterPrivacy extension to delete empty folders.
The agdrm entry allows Silverlight to work with Netflix.
The Device entry was trained because I couldn’t find it in the menu of choices.
I expect the Windows Messages exceptions to be different for each PC. Customizing can be avoiding by just setting the access right for Windows Messages to Allow, with little loss of security.
With no access rights set to Ask, there are no D+ pop-ups for Firefox. This Firefox custom policy can be used in any CIS configuration – Parental Control and/or Install/Uninstall configurations. I prefer to do normal surfing and download installers/executables while on a limited-user account, install and avoid web browsing while on the administrator account. I also like to test new installers/executables at VirusTotal.com and CIMA while still on the limited-user account.
Safe and happy surfing!