Blanket Blocking of window.eval using Surrogates ?

[ashrc4]

http://www.dslreports.com/forum/r261313 ... loits-Dead

heads up on suggestion from thread.

"If you use NoScript, you protect yourself a great deal. However there is one small case that it won't protect you. Say for example you accidentally execute a script that contains malicious and obfuscated code? You're screwed aren't you?

Many Javascript exploits use eval() to execute data like it was code. This in itself is an vulnerability because there are countless ways to encode executable code, to make it difficult for security software to detect (ignoring the fact that blacklisting is not the best idea).

The solution is to make eval unavailable to websites. I use the following Firefox configuration setting to do this. Open about:config (type it in the address bar) and create the following settings as strings:
noscript.surrogate.noeval.replacement
The value should then be:
window.eval = null;document.eval=null;
You also need the setting noscript.surrogate.noeval.sources to be:
@^http://[a-z]+[^/]+\.[a-z]+(?:/|$)
I believe this states what kind of URLs in which the surrogate will be placed.
You also need the setting noscript.surrogate.noeval.exceptions but this is empty unless you want some websites to run eval."

Hope it's of some use.
ash

[therube]

(I split this as I was going to ask about it [here] anyhow [from the post at dslreports].)

Comments?

I have no clue, but my feeling would be that if it were necessary, wanted, something like this would be defaulted, & since it is not, then the danger is minor. Plus thinking that it would be apt to break legitimate functions.