RogueSpear's Forums

[dumpydooby]

Mozilla Firefox v3.6.6

Multimode Installer - 16.2MB
MD5: 9847ec86ef7b9cada9b091493c660c87

Installs From: RunOnceEx
Installs To: %PROGRAMFILES%\Mozilla Firefox (Default)
Shortcut: Programs\Internet
License: MPL/GPL/LGPL
Last Updated: 20100626

Description: This is similar to RogueSpear's, but I use some different addons so peruse them carefully. This is a customized installer for Mozilla Firefox. It contains several extensions, several search plugins, some customized settings, and by default will run under restricted user rights even if the user has administrative rights.

Notes:

• I use a custom installation routine that replaces Mozilla's default Setup.exe file. Its primary function is to write registry entries and verify the installation of AdminFox.exe.
• All non-English locales have been removed, making this strictly an English-only release.

Included Plugins:

• Adobe Flash Player v10.1.53.64 R
• Windows Media Player v3.0.2.629 R

Included Extensions:

• Adblock Plus 1.2 [AMO] R
• BarTab 2.0 [AMO]
• Better Gmail 2 1.2 [AMO] R
• BetterPrivacy 1.47.4 [AMO]
• Console² 0.6.1 [AMO]
• Cookie Monster 1.0.2 [AMO] R U
• Ctrl-Tab 0.21.1 [AMO]
• CuteMenus Classic 0.7.5 [AMO]
• Download Statusbar 0.9.6.8 [AMO]
• DownloadHelper 4.7.3 [AMO]
• ErrorZilla Mod 0.39a [AMO]
• Fancy Numbered Tabs 1.4 [AMO] R
• Flagfox 4.0.6 [AMO] R
• Force TLS 2.0 [AMO] R
• Greasemonkey 0.8.20100408.6 [AMO]
• Hostname in Title bar 1.0.7 [AMO] R
• IsAdmin 2.2 [AMO] R
• Kempelton 3.2.1 [AMO]
• LastPass 1.68.2 [AMO] R
• Mozilla Archive Format 0.19.3 [AMO] R
• MP4 Downloader 1.2.11 [AMO]
• NoScript 1.9.9.97 [AMO] R U
• OptimizeGoogle 0.78.1 [AMO] R
• Options Menu 1.8 [AMO]
• QuickDrag 2.0.2.1 [AMO]
• Read It Later 2.0.6 [AMO] R
• Screengrab 0.96.3 [AMO]
• TrashMail.net 2.0.4 [AMO]
• United States English Dictionary 4.0.0 [AMO] R
• Unlinker 1.5.3 [AMO]
• WiseStamp 1.3.6 [AMO]
• Xmarks 3.6.14 [AMO] R

Included Search Plugins:

• Citizendium R
• Google R - Updated with the new Google favicon
• Google (Linux) R
• Green Maven R
• Merriam-Webster R
• OpenStreetMap R
• Urban Dictionary R
• Webster's Dictionary R
• Wikipedia R - Overwrites the default plugin. All mine does is clean up the title by removing the "(en)".
• YouTube Video Search R

Extras:

• SumatraPDF 1.0.1
  (see: "Why SumatraPDF?")

R This feature is included in RogueSpear's release.
N This feature was recently introduced.
U This feature was recently updated.

Why SumatraPDF? SumatraPDF is a standalone extremely lightweight PDF viewer. Some of the latest infectious malware attacks have been using vulnerabilities in Adobe Reader to infect your PC — just go to the wrong site that uses a hidden frame to redirect you to a PDF file containing the exploit and your system can be exploited. Even still, SumatraPDF has an option to switch over to Adobe Reader, which ought to only be utilized once one verifies that the PDF is legitimate.


Additional Security: This installer will place a command line file, StripMyRights.exe, in your %SystemRoot%\system32 directory. All of the normal shortcuts will execute Firefox without admin rights. This is just one layer in a "defense in depth" strategy, but it's a crucial one. This is made possible by the registry entry:

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
"Debugger"="StripMyRights.exe /D /L N"

You can run Firefox without any restrictions on your account's privileges via a shortcut located in %AllUsersProfile%\Start Menu\Programs\Administrative Tools\ or by right-clicking the Start Menu and selecting "Firefox Admin."



Tips

• If you don't like SumatraPDF (or if another program takes over and you want to revert back to SumatraPDF), you can change the default action for PDF files by going into Tools->Options->Applications

(I'll add more to this section as I think of other things)



Other Versions
I probably won't put as much effort into these unless something becomes high demand. I'll rely on feedback for bugfixes.

• Web Developers - 17.7MB
  MD5: 76460a7cc6bee41b7103092a96877551
  Contains: See above + Coral IE Tab | MeasureIt | Firebug (w/Firecookie, FireDiff, FirePHP, FirePicker, SenSEO, Validator, YSlow) | Jetpack | Wappalyzer | Web Developer Toolbar | XHTML Mobile Profile
  
• Proximous - 15.9MB (info)
  MD5: d35b122206865b6325e0d389a5f896ea
  Contains: See above + IE Tab | Flashgot | Extended Copy Menu | GDirections | Linkification | Update Notifier
  
• Lightweight - 14.0MB
  MD5: d12d6e42fd8d588844319a6b81fb90f7
  Contains: Adblock Plus, Better Privacy, Cookie Monster, Customize Google, CuteMenus Classic, Download Statusbar, ErrorZilla Mod, Force TLS, Hostname in Title Bar, IsAdmin, Mozilla Archive Format, MP4 YouTube Downloader, NoScript, Options Menu, QuickDrag, Screengrab, United States English Dictionary, Unlinker, Xmarks

[dumpydooby]

20091104 - Updated LastPass. Added shortcut to Administrative Tools (for those that use Classic Start Menu and couldn't access the right-click option). Removed the default SQLite databases.

[dumpydooby]

I'm contemplating getting rid of NoScript. I think Firefox is generally safe enough without it. I'm thinking that NoScript is too much of a hassle, but it does protect against CSRF.

Anyone have any recommendations? I wouldn't mind using YesScript in conjunction with some other extension(s) that protect against the other stuff that NoScript offers.

Lemme know what you think.

[crashfly]

I would personally leave it. I use it on both my wife's computer and mine, not to mention one of the work computers I use. It is quite useful for removing all of the "crap" that website developers think you need.

(That and NoScript can run in conjunctions *with* YesScript.)

[dumpydooby]

20091105 - Updated Firefox to 3.5.5. Fixed a cosmetic bug in my installation routine.

[RogueSpear]

I'm contemplating getting rid of NoScript. I think Firefox is generally safe enough without it.

I would not contemplate web browsing without NoScript anymore. The more that I learn about javascript, the more I want to block it.

Take a moment to absorb this... let's just hypothetically say that Google Analytics somehow or another gets compromised. There's something like 40 million (estimated) web sites that have Google's javascript running. This would mean that if someone were able to compromise googleanalytics.com, they would instantly compromise all of those other websites too. Javascript does not run in a silo. Anyway, if you feel pretty confident that they won't get compromised, are you just as confident that digg or reddit or delicious won't get compromised?

[dumpydooby]

My confidence is actually that javascript won't be able to do anything worthwhile besides sabotage the look of the site. Firefox already prevents cross-domain requested-data inline transfers (e.g., silently sending this post I'm typing right now over to some scammer's house in Nigeria), which is why all XSS nowadays involve redirects, which is something that NoScript does a phenomenal job of protecting against. Firefox itself is rather safe.

The other issue I have is the UAC effect that NoScript has. Users are prompted (either actively with an ugly yellow bar, or passively with a nonfunctioning site or a warning message that javascript is turned off) to enable javascript left and right. The unintended consequence of this seems to be the conditioning of users to click to always click "allow" or "yes" or whatever when presented with a security prompt. Yes, NoScript says to exercise caution before enabling javascript on a site, but even good ol' Microsoft has the same sort of disclaimer with regards to UAC. In the end, I think it does more harm than good and can even lead to the tragic situation in which a user has a false sense of security.

I'd much rather see a version of NoScript that implements its current array of javascript-based security protections without outright blacklisting every site on the Internet until manually removed. Only allow a manual override in cases where a user wants to process a particular function that utilizes XSS or whatever.


That said, I've decided to keep NoScript in my releases. The security features it does have are unmatched by any other extension. I just really wish they'd have a release that only prompts users when nefarious activities are detected and otherwise allow all scripts on a site.

[RogueSpear]

What would be nice would be combination of efforts. First, a standard for digitally signing your code. Second, it probably wouldn't hurt to have some sort of crowd sourced mechanism a la WOT. The former option is obviously better. I just see way way too many liberties and vulnerabilities in javascript as it's implemented today. It's an amazingly powerful language, just take a look at tiddlywiki, but that power and flexibility is also what makes it so hard to rein in.

[dumpydooby]

20091112 - Updated: Flagfox 3.3.18 | Mozilla Archive Format 0.16.4 | VideoSurf Videos at a Glance 0.65

[proximous]

Thanks for keeping this so current!!!

[dumpydooby]

20091118 - Updated: NoScript 1.9.9.15, SumatraPDF 1.0 | Added: LinkExtend 1.0.6, BetterPrivacy 1.45 | Removed non-English locales from all extensions.



A few notable changes in this one:

I completely revamped my script that builds these for me so this is the first public release with the new script.

I relaxed some of the privacy settings because Firefox 3.5.5 has an option to erase all browsing history and whatnot over a period of time, and it also introduces the ability to browse in private mode (Ctrl + Shift + P).

In contrast, I also tightened up privacy from tracking cookies by adding the BetterPrivacy extension which removes so-called "super cookies" that use Flash to circumvent domain-specific cookie limitations; this technique commonly used by Google and other advertising companies to gather analytic tracking data.

I added LinkExtend to the release, which averages out data collected from Internet watchdog sites like Web-Of-Trust (WOT), as well as provide useful information like PageRank and a few other options. It comes with a toolbar that is disabled by default but might show up after an update. Let me know what you guys think of it.

Minor changes to various settings were also made. See the first post for comprehensive list of all settings employed in this release.

Despite the addition of two new extensions, the installer actually shrank by almost two 2MB because I removed the superfluous locales.

[dumpydooby]

20091119 - Updated: Hostname in Title bar 1.0.5, DownloadHelper 4.6.5

[dumpydooby]

20091121 - Bug fix: Flash wasn't installing.

Flash wasn't copying over properly in my script. Originally I was putting Flash directly in the Plug-ins directory with the idea being that if something breaks on your native version of Flash, Firefox would be unaffected because it would have its own version. While that worked as expected, my newest method of creating these installers failed to copy it over. I could fix the script, but instead I decided that it's probably better to revert to the proper way of installing Flash: with its own installer. So that's how it's done now. It caused my installer to grow a bit since its installer is already compressed, but whatever. It makes for a cleaner installation.


Update 20091130 -
I discovered that Flash is still being finicky on some systems. It's intermittent. I'll get it all fixed within a day or so. I had planned on releasing an update soon anyway.

[dumpydooby]

20091203 - Updated: NoScript 1.9.9.18, LastPass 1.62.0, SumatraPDF 1.0.1 | Bug fix: Flash Plugin should install properly now. | Changed: Xmarks config.

I now download the official Flash Mozilla extension (the XPI, not the EXE) and install it manually. So all should be working fine now. I tested it on a VM where I had removed Flash entirely. It worked as expected. Let me know if you have problems.

Xmarks Wizard now shows up on first start.
Xmarks only synchronizes when shutting down Firefox (this is to prevent the random prompts to enter your password while browsing the web, which is caused by insufficient user privileges).

[dumpydooby]

20091209 - Updated: Flash Player 10.0.42.34, Greasemonkey 0.8.20091209.4, isAdmin 2.2, Xmarks 3.4.2