The way I had been using NoScript was, disallow Javascript by default on every new web page. Then, after I come to the conclusion that the website is legitimate, whitelist it. Now comes a report from a security researcher that even well-known websites from reputable publishers may spread malware.
http://research.zscaler.com/2011/05/gee ... t-kit.html
That is troubling. The threat can be mitigated by making sure to keep everything updated all the time, so that any known vulnerabilities are patched.
But it raises the question whether Javascript is simply too risky and should be turned off everywhere. However, some websites are simply broken without Javascript. Ideally web pages should "fail gracefully" when viewed with JS off, but quite often it's an "all-or-nothing" thing.
Scary
Re: Scary
> even well-known websites from reputable publishers may spread malware
Of course. Could be anywhere, even here. They get hacked, a malicious ad, whatever.
> Javascript ... should be turned off everywhere
That works. Except for a very select few sites, it's off.
> some websites are simply broken without Javascript
True. But you get to know, or get a feel, when you'll need to allow something.
> web pages should "fail gracefully"
Ah, utopia. But then they'd just code malware to not need JavaScript. Would be harder, but they would still do it.
Of course. Could be anywhere, even here. They get hacked, a malicious ad, whatever.
> Javascript ... should be turned off everywhere
That works. Except for a very select few sites, it's off.
> some websites are simply broken without Javascript
True. But you get to know, or get a feel, when you'll need to allow something.
> web pages should "fail gracefully"
Ah, utopia. But then they'd just code malware to not need JavaScript. Would be harder, but they would still do it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Scary
From http://research.zscaler.com/2011/05/gee ... t-kit.html
I've bolded the relevant quote from the article you linked, cocoapuff. Allowing geek.com would not have let the exploit through. In this case, you're sufficiently protected by using a fully patched Firefox (and maybe operating system too?) or not allowing malicious third-party domains. This issue is an example of why I warn people off blindly Allow or Temporarily Allow all this page.The malicious Iframe redirects victims to a malicious website hosting an exploit kit.
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Re: Scary
Thank you for this important clarification. I hope I hadn't offended il dottore Maone by implying that I use NoScript just as a dumb toggle to turn Javascript off/on, I realize it's much, much more powerful than that.Alan Baxter wrote:Allowing geek.com would not have let the exploit through.
Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Scary
You're welcome. I think I use my NoScript permissions pretty much like therube described above. If I need to allow javascript to activate some of the features I need on a trusted site, I'll manually Allow it to use javascript without any worry. If it's a site a visit often, I'll Allow it permanently.
I do not advise checking NoScript Options > General > Temporarily allow top-level sites by default. Some sites are hacked in such a way that you're redirected to a malicious top-level site. Many of the fake av sites are spread that way. I also keep my system and applications up to date with security patches. This will prevent most exploits from working even if they ever happen to get through somehow.
I do not advise checking NoScript Options > General > Temporarily allow top-level sites by default. Some sites are hacked in such a way that you're redirected to a malicious top-level site. Many of the fake av sites are spread that way. I also keep my system and applications up to date with security patches. This will prevent most exploits from working even if they ever happen to get through somehow.
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Re: Scary
Now, that is worrying. Do you think that the SeaMonkey 'Warn me when websites try to redirect or reload the page' feature can combat that somewhat (using NoScript as well of course).Alan Baxter wrote:Some sites are hacked in such a way that you're redirected to a malicious top-level site.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20110608 Firefox/4.0.1 SeaMonkey/2.1
Re: Scary
Do you have NoScript Options > General > Temporarily allow top-level sites by default enabled?
If not, then unless you happen to have the particular domain allowed which it redirected to (& presumably you would not), then it shouldn't be a concern.
The redirect block could be effective - for other reasons.
If not, then unless you happen to have the particular domain allowed which it redirected to (& presumably you would not), then it shouldn't be a concern.
The redirect block could be effective - for other reasons.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110826 Firefox/9.0a1 SeaMonkey/2.6a1