Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Guide to Hardening Your Firefox Browser in OS X

Silver padlock in the shape of apple logo


Your Mac systems and software might be safe – until they connect to the Internet. Here are some tips for Firefox hardening in OS X.

While many enterprises and end-users turn to Apple over Windows based on Apple’s reputation for security, there is little doubt that the web is the primary point of infection for most Macs. Just a few years ago, using a Mac might have helped users avoid being targeted. But today, with the emergence of advanced persistent threats and highly-skilled, well-funded attack teams, the OS X environment is no longer safer than any other endpoint, especially through its browser.

Most enterprises have strong endpoint security strategy, but the traditional antivirus tools and routine security patching can’t stop custom malware and zero-day attacks that have not been previously detected. These types of attacks are increasingly becoming the norm and companies can’t train users to simply stay away from them - many infections are being carried by well-known, legitimate websites, and some don’t require users to open an attachment when they are compromised.

If enterprises are going to prevent – or at least mitigate – the threats posed by today’s attackers, careful consideration should be given to hardening the browser itself to reduce the likelihood of compromise from web-based attacks. Bishop Fox researchers have recently published a guide for hardening the Firefox browser for Mac users. This guide outlines experience-based advice designed to reduce your browser’s attack surface and lessen the effects of zero-day exploits.

Here are a few key points to keep in mind when considering OS X browser security:

1. Reduce your attack surface.

No matter which browser you choose, it will come with some vulnerabilities out of the box. Consider disabling plugins that users don’t need along with advertising networks that might carry malware.

2. Use browser extensions.

Some extensions can greatly improve device security. Some can even reconfigure the browser to report itself as a different version of OS, causing attackers to deploy the wrong exploit.

3. Limit the scope of potential damage.

Consider using sandboxing tools to isolate the browser from the rest of the OS X operating environment so that if an infection does occur, it will be kept in quarantine.

4. Train users to change their browsing habits.

Once you’ve hardened your browser, ensure that users only enter the web through the hardened version at all times. Teaching your Mac users to keep their passwords safe, and avoid using public Wi-Fi networks without a VPN can also reduce your risk of being infected.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Carl Livitt

About the author, Carl Livitt

Bishop Fox Alumnus

Carl Livitt is a Bishop Fox alumnus. He was a Principal Researcher at Bishop Fox with decades of experience in mobile and application security, hardware and embedded devices, reverse engineering, and global-scale penetration testing.

Carl is credited with the discovery of many vulnerabilities within both commercial and open-source software. He was brought in as a third-party expert to lead the team that confirmed several security issues with St. Jude Medical implantable devices. His work eventually led to an official communication from the FDA.

Carl has served as a contributing author to Hacking Exposed Web Applications 3rd Edition as well as a technical advisor for Network Security Assessment 1st Edition. He has been interviewed on NPR and quoted in publications including USA Today and eWeek. Carl co-authored the iOS reverse engineering framework iSpy, which was featured at Black Hat USA's Tools Arsenal.

More by Carl

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.