Jun 14, 2007

A Whitehat Hacker

Vista Recovery Command Prompt

Did you know that the Command Prompt tool found in Vista's System Recovery Options doesn't require a User Name or Password? And that the Command Prompt provides Administrator level access to the hard drive? For multiple versions of Windows?

All you need is a Vista Install DVD and you're all set to go.
  • Just boot from the DVD and select the Repair option.
  • Then select the Command Prompt.
  • And you'll end up with an Administrator priviledged Command Prompt.
Interesting. You can find more details from Mr. Kimmo Rousku.

This kind of reminds us of a Windows XP Home feature. The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer.

Physical security of your computer is paramount.

Jun 4, 2007

Magic Numbers or Snake Oil?

The Common Vulnerability Scoring System

Can a single number sum up the full significance of a security vulnerability? The CVSS attempts to prove that it can, but it has its weak points.

The Common Vulnerability Scoring System (CVSS) is a relatively new attempt at consistent vendor-independent ranking of software and system vulnerabilities. Originally a research project by the US National Infrastructure Advisory Council, the CVSS was officially launched in February 2005, and hosted publicly by the Forum for Incident Response and Security Teams (FIRST) from April 2005. By the end of 2006 it had been adopted by 31 organisations and put into operational service by 16 of these, including (significantly) the US-CERT, a primary source of vulnerability information.

The CVSS attempts to reduce the complicated multi-variable problem of security vulnerability ranking to a single numerical index in the range of 0 to 10 (maximum), that can be used in an operational context for such tasks as prioritising patching. It uses a total of 12 input variables each of which can take from two to four alternative pre-determined values. The calculation is broken into three cascaded stages, the first two of which yield visible intermediate results each of which is fed into the following stage. This three-stage process consists of an absolute Base Score calculation that describes ease of access and scale of impact, followed by a Temporal Score calculation that applies a zero to moderate negative bias depending on the current exploitability and remediation position (both of which may well change over time), and, finally, an Environmental Score calculation that is performed by end users to take into account their individual exposure landscape (target space and damage potential).

The third (Environmental) stage has the greatest influence on the final result, and without it a CVSS ranking is really only a partial index. Therefore it must be recognised that a published CVSS score is, unlike the public conception of common vendor rankings (e.g. Microsoft "Critical"), not the final answer. Of course in reality they are not final indices either. The end user should always expect to complete the ranking process by applying some kind of environmental calculation to any published index to allow for local priorities, and the task becomes very difficult where vendor-specific rankings are derived using differing proprietary methods. In the case of the CVSS, a maximal Temporal score of 10 may be reduced by the Environmental calculation even to zero, or alternatively even very low Temporal scores raised up to around 5, once the user's exposure landscape is taken into account. The second condition is significant, as, while nobody would ignore, for example, a Microsoft "Critical" rating, vulnerabilities classified as low priority by vendors could have major impact on certain users, depending on the criticality of the vulnerable systems to their specific business processes.

The Good, the Bad and the Ugly

So what are the pros and cons of the CVSS? On the positive side, it attempts to formalise and objectify the decision process applied to a very complicated problem, potentially improving consistency, both over time and across platforms, vendors and products. It is quite simple, and the input variables and their pre-determined alternative numerical values in the main appear well chosen. It is transparent in that its mechanism is publicly documented. It breaks new ground in attempting to include formal recognition of the user's all-important exposure landscape. But on the other hand, no system is better than its inputs. Choices have to be made as to which value of each variable to select, and the quality of the result depends entirely on the quality of all the choices that lead to it. These choices are externally expressed in natural language in the available calculators. Fortunately, the alternatives contributing to the Base and Temporal scores are relatively unambiguously expressed, and as these decisions will normally be made by experienced security specialists in reporting organisations, the opportunity for significant error is minimised.

However, while the inclusion of the environmental component in the calculation is one of the greatest potential strengths of CVSS, it could also prove to be its Achilles' heel. Not only does the Environmental calculation have the greatest single influence on the final score, but the values of the two variables that contribute to it (collateral damage potential and target distribution) are expressed as "low", "medium" and "high": a notoriously subjective classification system. Poor decisions here will lead to serious errors that can completely undermine the quality of the more objective earlier stages. Furthermore the techno-centric thinking of the originators of CVSS is most apparent here. The guidance notes describe these two environmental variables solely in terms of the percentage of hosts that are vulnerable and the potential for physical damage. This completely misses the point of the differing business criticality of individual systems, which cannot in the real world be assessed "off the cuff" by technical personnel alone.

How can I use the CVSS?

Given the above, how can you currently use CVSS in the real world? In its most basic application (ignoring for now the questionable Environmental parameters), the published Base or Temporal scores for the vulnerabilities in hand at any given moment should simply be sorted into descending numerical order and addressed as swiftly as possible from the top of the list downwards, whatever the actual range or absolute values of the scores. Treat it as a relative rather than an absolute ranking system and get on with the job of patching on a continuous basis. Of course the list and its order really have to be updated regularly as new bugs are announced. This is a completely different approach from the widely advocated calendar-interval regime: "patch Tuesday", "medium severity = 1 to 4 weeks", which is of course in reality patch team workload management not corporate exposure minimisation (but of course we all really know that, even if we take the easy way out in practice).

Whichever of the two you choose, it is important to be consistent in always using either the Base or Temporal score in such a simple application, and the Temporal score is to be preferred as it partially reflects whether a fix is available to be implemented. Despite the familiar tendency to bracket ratings into such categories, "critical", "medium", "low", this is not useful given the extra detail offered by the numerical scoring. How do you prioritise among a dozen simultaneous "criticals"? The quite granular numerical scoring method makes it much less likely that a significant number of vulnerabilities on your current list will have exactly the same ranking. Plus, it is a transparent system. You can often see how the score was arrived at, so you might learn something of use for the future.

At a more sophisticated level, the relationship between the Base and Temporal scores can be used to extract further guidance. If the two scores are essentially identical (within 5 per cent or so) this generally indicates that you are more exposed than if the Temporal score is lower than the Base score by ,say, 10 to 30 per cent. It means that a viable exploit exists and limited (or no) remediation is available. A bigger difference in the scores indicates that exploits are to some degree unproven or imperfect and/or that a fix at some level is available. So diverging Base and Temporal scores are a flag that the vulnerability should be reviewed to find out the new state of play, and the vulnerability may have to be moved up or down your priority list. This obviously depends on your sources of intelligence updating the Temporal scores, but supposing the information is available, somewhat better prioritisation can result.

The Environmental score, although at present primitively implemented, can be used to some extent but the existing parameters will tend to return scores on the low side in non-homogeneous environments where individual systems are business critical or where the landscape is not dominated by a small number of platforms or products. It should only be applied by newbies where too many of the Base (or Temporal) scores in the sorted list have the same value and are therefore not effectively ranked, and then only with caution, as local homework will be needed to validate the results.

Better results can be made of the Environmental score if you are prepared to redefine its input parameters to suit your business context. Selection of the appropriate collateral damage parameter must include the cost to the business of a successful exploit, not just the cost of technical damage and remediation. Choice of target distribution parameter must include the business significance of the breached asset: it may be the only server in a couple of hundred that is running a given system, but if that system is business critical the extent of the exposure is much greater than 0.5 per cent. However, unless you already have considerable detailed business intelligence at your fingertips it is probably dangerous at present to rely on the Environmental score, given its large effect on the final result. This is where we most look to the CVSS developers to improve the system. For now, environmental considerations will for the most part probably remain "seat of the pants". However, supposing revision of the Environment score calculation gets due attention, it promises to become a very powerful tool.

The way forward for the CVSS

So the CVSS has considerable potential as a simple and effective method for vulnerability ranking, but it needs further work to make it more user-friendly and to render the Environmental score more robust and meaningful. The Environmental score parameters need to be redefined to include business impact, which is something that should ideally be done by the CVSS developers rather than ad hoc by individual end users. It is likely that the Environmental score calculation will have to become more sophisticated before its true worth emerges. But from the functional perspective probably the most significant omission is that all the approved calculators currently expect the whole calculation process to be performed in a single operation by selection of the complete set of natural language parameters. None of them allow the end user simply to enter a published numerical Base or Temporal score from which to derive a local Environmental score. At this time the calculation that is most important to the end user must be done "by hand" unless an advisory happens to list the parameters used to derive the published score.

Overall, the CVSS is a relatively untried system but one which, by virtue of its transparency, potentially contains less snake oil than the closed ranking systems we are used to. We must hope that it will evolve over time into a robust universal standard: something that is much needed in this field.

See also:

The secrets of about:config

May 29, 2007 (Computerworld) Ever since its debut, Firefox has garnered a reputation for being an enormously customizable program, both through its add-on architecture and its internal settings. In fact, many of Firefox's settings aren't exposed through the Tools > Options menu; the only way to change them is to edit them manually. In this article, we'll explore some of the most useful Firefox settings that you can change on your own, and that aren't normally available through the program's graphical interface.

The closest analogy to how Firefox manages its internal settings is the Windows Registry. Each setting, or preference, is given a name and stored as a string (text), integer (number) or Boolean (true/false) value. However, Firefox doesn't keep its settings in the registry, but in a file called prefs.js. You can edit prefs.js directly, but it's often easier to change the settings through the browser window.

Type about:config in the address bar and press Enter, and you'll see all the settings currently enumerated in prefs.js, listed in alphabetical order. To narrow down the hundreds of configuration preferences to just the few you need, type a search term into the Filter: bar. (Click the Show All button or just clear the Filter: bar to get the full list back again.)

To edit a preference, double-click on the name and you'll be prompted for the new value. If you double-click on an entry that has a Boolean value, it'll just switch from true to false or vice versa; double-click again to revert to the original setting. Not all changes take effect immediately, so if you want to be absolutely certain a given change is in effect, be sure to close and reopen Firefox after making a change.

Note that not every setting in about:config exists by default. Some of them have to be created manually. If you want to add a new preference, right-click somewhere on the page and select New, then select the type of item to create (String, Integer or Boolean) and supply the name and value.

Before you begin

Here are a few caveats to keep in mind as you explore and tweak:

Not everyone will get the same benefits by enabling these tweaks. This is especially true for changing the network settings. If you habitually visit sites that don't allow a large number of connections per client, for instance, you won't see much benefit from raising the number of connections per server.

Some hacks may have a limited shelf life. With each successive release of Firefox, the need for tweaking any of the performance-related config settings (like the network settings) may dwindle as Firefox becomes more self-tuning based on feedback from real-world usage scenarios. In short, what works now may not always work in the future -- and that might not be a bad thing.

Keep a log of everything you change, or make backups. If you tweak something now and notice bizarre activity in a week, you'll want to be able to track back to what was altered and undo it. Firefox does show which about:config changes have been set manually, but this isn't always the most accurate way to find out what you changed.

To make a backup of your preferences in Firefox, just make a copy of the file prefs.js, which is kept in your Firefox profile folder. If you mess something up, you can always copy this file back in. (Be sure to shut down Firefox before making a copy of prefs.js or moving a copy back into the profile folder!)

In Windows XP, the profile folder is
\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\.default\

In Windows Vista, this folder is
\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default\

Note that Application Data and AppData are hidden folders by default, so they may not show up unless you force Explorer to show hidden objects. (Open the Control Panel, double-click Folder Options, select the View tab, select "Show hidden files and folders" and click OK.)

In Mac OS X, the profile folder is
/Library/Application Support/Firefox/Profiles/.default/

and in Linux it's
~/.mozilla/firefox/.default/

but on those platforms it's usually quicker simply to search for prefs.js.

Alternatively, you can use the handy Firefox Extension Backup Extension (FEBE). It backs up not only the prefs.js file but just about every other thing in Firefox -- extensions, themes, cookies, form history and so on.

Speed up page display

Some of the more recent Firefox customizations I've examined are ways to speed up the rendering of Web pages. The settings to do this are a little arcane and not terribly self-explanatory, but with a little tinkering, you can often get pages to pop up faster and waste less time redrawing themselves.

Start rendering pages faster
Creating an nglayout.initialpaint.delay integer preference lets you control how long Firefox waits before starting to render a page. If this value isn't set, Firefox defaults to 250 milliseconds, or .25 of a second. Some people report that setting it to 0 -- i.e., forcing Firefox to begin rendering immediately -- causes almost all pages to show up faster. Values as high as 50 are also pretty snappy.

Reduce the number of reflows
When Firefox is actively loading a page, it periodically reformats or "reflows" the page as it loads, based on what data has been received. Create a content.notify.interval integer preference to control the minimum number of microseconds (millionths of a second) that elapse between reflows. If it's not explicitly set, it defaults to 120000 (.12 of a second).

Too many reflows may make the browser feel sluggish, so you can increase the interval between reflows by raising this to 500000 (500,000, or 1/2 second) or even to 1000000 (1 million, or 1 second). If you set this value, be sure to also create a Boolean value called content.notify.ontimer and set it to true.

Control Firefox's 'unresponsive' time
When rendering a page, Firefox periodically runs a little faster internally to speed up the rendering process (a method Mozilla calls "tokenizing"), but at the expense of being unresponsive to user input for that length of time. If you want to set the maximum length of time any one of these unresponsive periods can be, create an integer preference called content.max.tokenizing.time.

Set this to a multiple of content.notify.interval's value, or even the same value (but higher is probably better). If you set this to something lower than content.notify.interval, the browser may respond more often to user input while pages are being rendered, but the page itself will render that much more slowly.

If you set a value for content.max.tokenizing.time, you also need to create two more Boolean values -- content.notify.ontimer and content.interrupt.parsing -- and set them both to true.

Control Firefox's 'highly responsive' time
If Firefox is rendering a page and the user performs some kind of command, like scrolling through a still-loading page, Firefox will remain more responsive to user input for a period of time. To control how long this interval is, create an integer preference called content.switch.threshold.

This is normally triple the value of content.notify.interval, but I typically set it to be the same as that value. Set it to something very low -- say, 10000 (10,000 microseconds) -- and the browser may not respond as snappily, but it may cause the rendering to complete more quickly.

If you haven't already created the Boolean values content.notify.ontimer and content.interrupt.parsing and set them both to true in conjunction with content.max.tokenizing.time, you'll need to do so to make content.switch.threshold work properly.

If you are more inclined to wait for a page to finish loading before attempting to do anything with it (like scroll through it), you can set content.max.tokenizing.time to a higher value and content.switch.threshold to a lower value to allow Firefox to finish rendering a page faster at the expense of processing user commands. On the other hand, if you're the kind of person who likes to scroll through a page and start reading it before it's done loading, you can set content.max.tokenizing.time to a lower value and content.switch.threshold to a higher one, to give you back that much more responsiveness at the cost of page-rendering speed.

Have tabbed browsing your way

Right from the start, one of Firefox's strengths has been tabbed browsing. But if the tabs don't behave quite the way you want them to by default, or you hate the way the default behaviors have changed since Firefox 1.x, the following changes will bring them in line.

Corral close buttons
The integer preference browser.tabs.closeButtons controls how the close buttons (the "X" icons) are rendered on tabs:

0: Display a close button only on the currently active tab. This is a nice way to keep from accidentally smacking into a close button for the wrong tab.

(You can press Ctrl-F4 to close only the current tab, but many mouse-centric people never bother to do this.)

1: Display close buttons on all tabs (default).

2: Don't display any close buttons; the only way to close a tab is by pressing Ctrl-F4.

3: Display one close button at the end of the tab bar (Firefox 1.x's default).

Open search results in a new tab

This one is a favorite of mine. When browser.search.openintab (a Boolean preference) is set to true, any searches launched from the Search tool bar are opened in a new tab instead of overwriting the contents of the current one. I can't tell you the number of times I mistakenly wiped out my current page before I started using this.

Note that if you launch a new browser window with Ctrl-N and perform a search there, you'll see the search results and the default home page for the new browser instance loading in separate tabs.

Open bookmark groups in new tabs
If you open a group of bookmarks at once, Firefox's default behavior is to replace any existing tabs with the newly opened pages. Set browser.tabs.loadFolderAndReplace (Boolean) to false, and opening groups of bookmarks will append new tabs to the existing window instead of overwriting existing ones.

Squeeze more tabs into the tab bar
The integer preference browser.tabs.tabMinWidth controls how narrow, in pixels, tabs can be shrunk down before scroll arrows appear on the left and right edges of the tab bar.

The default is 100, but you can set this to something smaller so you can fit more tabs in the bar at once. Note, however, that you might find the shortened titles harder to read.

In the same vein, the integer preference browser.tabs.tabClipWidth sets the minimum width, in pixels, that a tab must be in order to show a close button. This is 140 by default, so if you set this to something lower, you'll see more tabs with close buttons when the tab bar is heavily populated.

Make the user interface behave

Another big reason people hack Firefox's settings is to modify the user interface -- either to make it a little easier to do something, or to revert to a behavior that was prevalent in Version 1.x but changed in 2.0.

Get case-sensitive, in-page searches
The integer preference accessibility.typeaheadfind.casesensitive controls how Firefox's "Find as You Type" feature behaves. The default is 0 for case-insensitive searches; set it to 1 for case-sensitive matching.

Control address bar searches
You may have noticed that if you type something into Firefox's address bar that's not an address (a "keyword"), Firefox typically passes it on to Google as an "I'm Feeling Lucky" search term. The exact search engine string to use is defined in the string preference keyword.URL; if you want to change it to something else, you can simply edit this string.

For instance, to make Microsoft's Live.com the default keyword search, set this string to
http://search.live.com/results.aspx?q=

For a Yahoo search, it would be
http://search.yahoo.com/search?p=

If you want to restore the default search, use
http://www.google.com/search?ie=UTF-8&oe=
UTF-8&sourceid=navclient&gfns=1&q=

Finally, if you want to turn this address-bar keyword functionality off altogether, set the Boolean preference keyword.enabled to false.

Note that with Google, the more generic the keyword, the less likely it is to be used as an "I'm Feeling Lucky" search -- although what constitutes "generic" isn't always clear. For instance, typing "clean" into the address bar returns a generic Google search page, but "sideways" takes me to the Internet Movie Database entry for the movie of that name (the "I'm Feeling Lucky" result). Your mileage will almost certainly vary.

Select just a word
The Boolean preference layout.word_select.eat_space_to_next_word governs one of Firefox's tiny, but for me incredibly annoying, little behaviors. When you double-click on a word in a Web page to select it, Firefox automatically includes the space after the word. Most of the time I don't want that; I just want the selection to stop at the end of the word. Setting this to false will defeat that behavior.

Select a word and its punctuation
Somewhat contrarily, if you double-click a word that's next to any kind of punctuation mark, Firefox defaults to selecting only the word itself, not its adjacent punctuation. Set the Boolean preference layout.word_select.stop_at_punctuation to false to select the word and its adjacent punctuation.

Get Alt-hotkey shortcuts back
One minor change in Firefox 2 was the way in which form elements on a Web page had hotkey bindings assigned to them. In Firefox 1.x, when a Web page assigned a hotkey to a form element, you pressed Alt-hotkey to access it. In Version 2.x, this was changed to Alt-Shift-hotkey. To revert to the original 1.x behavior, set the integer preference ui.key.contentAccess to 4. This is useful if you have, for instance, a Web-based interface you spend a lot of time in, and use Alt-key bindings to do things quickly in that particular page.

Note that one possible consequence of setting this back to the old behavior is that Alt-key bindings on a Web page can now override the default key sequences for the program itself (such as Alt-S for History), but you can always get around this by tapping Alt to activate the menu and then tapping the program hotkey in question.

Change scrollbar behavior
By default, clicking in the empty areas of the Firefox window's scrollbar will simply cause the view to move up or down one page. You can change this behavior by creating a Boolean preference called ui.scrollToClick and setting its value to true. Now clicking in a scrollbar will cause the view to jump directly to that point in the page (basically the same as dragging the scrollbar to that position).

Get click-and-hold context menus back (for Macs only)
If you want to restore the classic click-and-hold context-menu behavior on the Macintosh, edit or create the Boolean preference ui.click_hold_context_menus and set it to true.

Hack network connections

The very first batch of Firefox hacks I learned about was how to override its network defaults. Some of Firefox's out-of-the-box settings for how it deals with network connections are fairly conservative, probably because Firefox has no way of knowing what kind of network it's using (dial-up vs. broadband, etc.). If you have a network that readily supports multiple simultaneous connections, you can make a number of changes to Firefox to take advantage of that.

But proceed with caution. If Firefox's network settings are set too aggressively, they can lead you to being blacklisted for a short time by a given remote server. And you should certainly get permission from the IT department before attempting this kind of hack in a corporate environment. Regardless, moderation is the key. For the most part, I find that setting the network settings to absurdly high numbers does not accomplish much of anything; it helps to ramp them up a bit, but generally not much more than that.

Maximize connections to multiple servers
The integer preference network.http.max-connections controls how many simultaneous network connections Firefox will make at any one time to any number of Web servers. One typical way this pays off is if you have Firefox set to load multiple home pages in different tabs at once, or if you access pages that aggregate contents from several different servers (for instance, multiple advertising systems).

By default, this is set to 24, which should work well for most network connections, but you can raise it to 32 and see if that has any effect. (I've seen people raise this as high as 64, but anything above 32 doesn't seem to provide much discernible payoff.)

Maximize connections to the same server
The integer preference network.http.max-connections-per-server controls how many separate connections Firefox makes to the same server, which allows multiple elements in a page to be downloaded in parallel. Normally, this is set to 8, but some people choose to set it as high as 16.

Note, however, that some Web servers will block you if you try to establish more than 8 inbound connections, typically as a bandwidth-protection or antileeching measure -- this is the kind of behavior also exhibited by download managers that try to use as many "slots" as possible to speed things up, and many server admins hate that sort of thing. Also, if you're on a connection that's not fast to begin with (e.g., slow ISDN or dial-up), changing this setting will have no discernible effect, and may in fact slow things down.

Bump up persistent connections per server
Firefox keeps persistent connections to a server "alive" to improve performance: Instead of simply sending the results of one request and then closing, they're held open so that multiple requests can pass back and forth. This means a little less network traffic overall, since a connection to a given server has to be set up only once, instead of once for each separate piece of content; it also means successive connections to the same server go through faster.

The integer preference network.http.max-persistent-connections-per-server controls the number of persistent connections allowed per server. By default, this is set to 2, although some servers will honor a higher number of persistent connections (for instance, if there's a lot of content from their site that loads in parallel, like images or the contents of frames). You probably only want to go as high as 8 with this; more than that may cause a server to temporarily blacklist your IP address depending on how it's configured. (If you're going through a proxy defined by Firefox, use network.http.max-persistent-connections-per-proxy instead of this setting.)

Reduce the interval between persistent connections
If you've already used up all the persistent server connections described in the above setting and Firefox needs to make more connections, the integer setting network.http.request.max-start-delay governs how long to wait before attempting to open new connections. This helps if Firefox's persistent-connection limit has been used up by a number of long downloads, and the browser needs to queue a shorter download on top of that.

Most people set this to 0 (in seconds), with the default being 10. Note that this does not override connection limits imposed by remote hosts, so its usefulness is limited by the whim of the server you're connecting to.

Turn on pipelining
The Boolean preference network.http.pipelining enables an experimental acceleration technique called "pipelining," which speeds up the loading of most Web pages. A browser normally waits for some acknowledgment of a given request from a server before attempting to send another one to that server; pipelining sends multiple requests at once without waiting for responses one at a time.

If you turn this on (that is, set its value to true), also be sure to create or edit the integer preference network.http.pipelining.maxrequests, which controls the maximum number of requests that can be pipelined at once. 16 should do it; some people go as high as 128 but there's not much evidence it'll help. (If you use a proxy, set network.http.proxy.pipelining to true as well.)

Note that not every Web server honors pipelining requests correctly, which is why this feature is turned off by default and still considered experimental. Some sites may behave strangely if you submit pipelined requests.

Stop memory hogging

The default way the Windows version of Firefox consumes memory can be alarming if you don't know what's really going on. People routinely report a memory "footprint" of 75MB to 100MB or more with only a few windows or tabs open, and they assume a memory leak is to blame. While earlier versions of Firefox did have memory leak bugs, they're not the reason for this kind of memory consumption in Firefox 2.x.

Here's what's happening: Firefox caches recently used objects -- Web pages, images -- in memory so that they can be re-rendered on-screen quickly, which drives up memory usage. The following tweaks can make Firefox stake out memory less aggressively. (Note, however, that lightening the memory load might make your pages load a bit more slowly than you're used to.)

Reduce graphics caching
When the Boolean preference browser.cache.memory.enable is enabled (the default), Firefox keeps copies of all graphical elements from the current browsing session in memory for faster rendering. You can set this to false to free up more memory, but pages in your history will reload less quickly when you revisit them.

Another option: Set the value to true and create a new integer preference called browser.cache.memory.capacity. Then specify, in kilobytes, how much memory to set aside for graphics caching. That way you get some of the speed benefits that graphics caching provides without taking a huge memory hit. If you use -1 as the memory value, Firefox will size the memory cache based on how much physical RAM is present.

Reduce Web page caching
Firefox caches several recently visited Web pages in memory so they don't have to be regenerated when you press Back or Forward. The integer setting browser.sessionhistory.max_total_viewers determines how many individual Web pages to store in the back/forward cache; each page takes about 4MB (or 4,000KB) of RAM.

By default, however, this value is set to -1, which determines how many pages to cache from the amount of available physical memory; the maximum number of pages stored when you use -1 is 8. Set this value to 0 to disable page caching entirely. That will save some memory, but will also cause Back and Forward navigation to slow down a bit.

Note that this caching is not the same as browser.cache.memory.enable: That setting is for rendering elements on pages like graphics and buttons, and the contents of https-encoded pages, while this setting is for caching the text content of Web pages that have already been rendered or "tokenized."

Swap out to disk memory when minimized (Windows only)
A little-known feature in Firefox allows the Windows memory manager to swap out some of Firefox's physical memory space to disk when Firefox is minimized but not closed. This allows other programs to use the physical memory that Firefox was previously monopolizing.

By default, this feature is turned off, for two reasons: 1) PC memory is generally more plentiful than it used to be, so it makes sense to use it if it's available, and 2) swapping Firefox's memory out to disk will slow the program down when it's restored.

That said, if you run Firefox side by side with other memory-hungry applications, it might help keep them from competing with each other. To enable this feature, create a new Boolean preference called config.trim_on_minimize and set its value to true.

Got your own about:config tweaks to share? Add them to the Comments area at the bottom of the page. If you've got the itch to learn more about about:config settings, MozillaZine's about:config entries wiki is a great source of information.

Serdar Yegulalp writes about Windows and related technologies for a number of different publications, including his own Windows Insight blog.