Firefox application is set to auto-update.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19741	DTBF080	SV-21887r1_rule	ECSC-1	Medium

Description
Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible.

STIG	Date
Mozilla FireFox	2014-07-03

Details

Check Text ( C-24187r2_chk )
Type "about:config" in the browser window. Verify that 1. The preference name "app.update.enabled" is set to 'false' and locked or 2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org). Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.

Check Text ( C-24187r2_chk )

Type "about:config" in the browser window. Verify that

1. The preference name "app.update.enabled" is set to 'false' and locked or

2. If set to "true" then verify that "app.update.url", "app.update.url.details" and "app.update.url.manual" contain url information that point to a trusted server and is not the default setting. (Default would contain mozilla.com or Mozilla.org).

Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.

Fix Text (F-20414r3_fix)
Ensure the preference "app.update.enable" is set and locked to the value of “False” or that a trusted server is used.