Tom T. wrote:This is what surprises me. Yahoo, etc. allow a third-party ad to run scripts under Yahoo's permission? I hate to say this, but then how can NoScript possibly protect us if trusted sites will run third-party code in their own name? *Every* site we trust could do this, so... ??
Exactly, this is why the site issued an apology because it was their job to vet the code as safe before putting up as their own code and serving it to trusting people. Unfortunately NoScript cannot do anything about this because when the parent is whitelisted, and the code is served by them, NS has no reason to doubt it and block anything.
If you'll pardon my saying so, that is idiotic behavior on the part of Yahoo et al. They are risking their good name on unknown code, often supplied by an advertising agency, perhaps not directly from the advertiser but furnished by the evil site, or directly from badsite.com, but either way, a site that large can't possibly vet everything. Yahoo currently has relationships with more than 50 advertising agencies
, plus whatever companies work directly with Yahoo and not through an agency. I trusted Yahoo *alone* and trusted NoScript to block all other parties on that page.
That is when having some good rules in ABE would protect you despite it all.
I know Giorgio has much on his plate, but it would be beautiful if he, or you, or someone could write a generic guide to ABE rules that *all* reasonably-aware users can follow, even if they are not programmers, just telling them what to look for and how to write the corresponding rule. That would be a great addition to NoScript FAQ
and a sticky on this forum.
Also having something like RequestPolicy
would mitigate some of this because it blocks individual links to outside even within a trusted page, its an explicit 1->1 permission, otherwise???
Shortly after RequestPolicy
appeared, I e-mailed Justin and asked if an F2-friendly version was in the works. He was non-committal, but now that F2 is deprecated, obviously that's not going to happen. So another reason I'll have to ditch my neat, clean functional browser for the crayon-and-coloring-book one.
But if RP is *required* to fill in gaps like the above, that NS can't block, shouldn't NS subsume RP's functions into its own? So many users trust NoScript, and don't know that they *also* need RP for these "trusted" sites that hand out their names and permissions so freely. Just asking.
Tom T. wrote:I don't understand how or why innoshot is allowed to inherit Yahoo's permissions. If true, then Yahoo is not at all trustworthy. And neither are Google or Ask. And apparently, either Bing, Lycos, etc. are more careful, or because their audience is smaller, innoshot did not attempt this technique on them.
Bingo, this is why despite trusting any site, I ABE its components or RP them to make sure at no time they can suddenly grow a brain, be stupid and allow something that could hurt me just because I trusted them. I trust but take precaution, that's the best practice. <snip> trust everyone but trust no one, you know what the contradiction in that statement means.
AHA! One of my extra precautions is to run the browser 100% sandboxed. The *sole* exception is to get updates from the (presumably trustworty) MZ updates, as with NoScript updates. So *how could this infection have escaped the sandbox", which is emptied every time I close the browser, which is very frequently. IIRC, I closed and re-opened the browser several times while successfully reproducing the issue.
And why would it spontaneously disappear from my machine and not from Montagar's?
it might have a life cycle expiration to keep it under the radar and unnoticed, like a hit and run type of metamorphic worm.
Why would mine have a different expiration? ... well, I guess we don't know when each of us picked this up, if that is in fact what happened. But it seems that Montagar's would have run its course by now.
In all fairness, NoScript more than likely would have protected you even IF the script managed to access something. Because most likely it will need scripting of some kind unless its a pure post function and NS would have crippled it. The only part that is unnerving is that it could even be there somehow, that's all. Its like a thief getting into your place but not being able to crack the safe. You didn't lose anything but it feels bad that someone even got that close.
Yes, I pretty much figured that, and have seen no signs of malware on the machine; no programs attempting to access the Internet, and I just did another thorough AV scan, with negative results.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20081217 Firefox/126.96.36.199