NoJava

General discussion about the NoScript extension for Firefox
Post Reply
`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

NoJava

Post by `nar » Sun May 17, 2009 9:11 am

Maybe what we need is a more general form of noscript. One that can protect across browsers, anything that runs Java. Too bad it really isn't "Java" per se. But after seeing this: http://www.pcworld.com/businesscenter/article/165031/pdf_flaw_patched_but_does_anybody_know.html I wonder if we can protect Adobe Reader somehow. Or just convince people they don't need Adobe and just use Foxit, I do. Why do we need java imbedded in Adobe Reader anyway? I was wonder why that silly program has gotten so bloated.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
Giorgio Maone
Site Admin
Posts: 8769
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoJava

Post by Giorgio Maone » Sun May 17, 2009 9:26 am

Well, at least as long as you run NoScript (even better with NoScript Options|Plugins|Apply these restrictions to trusted sites as well) you don't risk to be pwned by a rogue and silent PDF while browsing the web.
Yes, you can always screw yourself by opening the wrong email attachment, but you surely have more control on that...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: NoJava

Post by `nar » Sun May 17, 2009 10:09 am

I think just disabling java in the adobe reader is the best answer. But in response to you, if I apply those restrictions to trusted sites, why trust them in the first place? Simple scripting still works but no "plugins?" Isn't it usually the plugin's that people want to see in the first place, such as video? Maybe drop-downs and other moving page elements I suppose. Those could be script or CSS right? Steve Gibson made a big deal about coding his site to not require scripting a while back. www.grc.com But that's getting off topic now.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
Giorgio Maone
Site Admin
Posts: 8769
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoJava

Post by Giorgio Maone » Sun May 17, 2009 12:17 pm

`nar wrote:I think just disabling java in the adobe reader is the best answer.

Generally speaking, no it's not.

`nar wrote:But in response to you, if I apply those restrictions to trusted sites, why trust them in the first place? Simple scripting still works but no "plugins?" Isn't it usually the plugin's that people want to see in the first place, such as video?

Yes, but NoScript gets you to choose which video clip you want to run, one by one (clicking on its placeholder and having a chance to verify its URL and content type).
This means that if a site you trust gets compromised by a (fairly common place) SQL injection attack, even in the remote case (never seen in the wild yet) that the malicious JavaScript is entirely hosted on-site, it cannot exploit plugin vulnerabilities for privilege escalation and/or heap spraying.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

Post Reply