InformAction Forums

Apologies : search did not work out - words too common, can't search on numbers : bad search system

The question : what is the appropriate version of Noscript for installation on Windows 98 with Firefox 2.0.0.20 (latest FF version on that platform) ? Where do I fetch the NS installer, please ?

This is to install noscript on a computer which won't take a "better (?)" OS, and yes I'm aware of the security problems and how to treat them - arguably Win 9x is more secure on the net than NT-based versions, not less - despite typical MS-talk ;=)

Muchas gracias

AFAIK, NoScript is still compatible to Firefox 2 (albeit there are some known issues and some features are not available) and this is likely not going to change till the next major version.

But may I ask why you are not switching over to a Linux-based operating system instead? If someone wanted to launch a targeted attack on you, it likely would be plain sailing for him.

dhouwn wrote:AFAIK, NoScript is still compatible to Firefox 2 (albeit there are some known issues and some features are not available)

Oh, good thing. Naturally I prefer to have the latest, when applicable.

But may I ask why you are not switching over to a Linux-based operating system instead?

This box is for someone who wants Windows. Myself I do run several Linuces both native and in VMs.

If someone wanted to launch a targeted attack on you, it likely would be plain sailing for him.

How so ? Win 98 does not by default run services with open ports. In addition, the box is on a home LAN with NAT. An attacker would have to remotely "pwn" my modem-router, not an easy deal. As for malware my local user might grab from the web or catch in emails, and try to execute locally, I've set it up with Avast. I've run similar Win 9x machines for years without any problems whatsoever (and without even an on-access scanner. But then I think I know better than run random "things").

Thanks muchos for the tip ...

... forgot to add - but this is getting off topic anyway -

what most people have in mind when speaking of Windows 9x insecurities really is more about MSIE unpatched bugs. We don't use IE (used to only for Windows updates, but there are no more) and OE only in text mode, which doesn't use the HTML renderer. urthermore, I have updated the critical IE6 DLLs to the latest versions for windows 2000, yes it does work ;=)

Frankly I think this Windows 98 is more secure than many Vistas and Sevens out there :=)

Cheers

--
Ramona

For the records, I had to mark 1.9.9.96 incompatible with Firefox <= 3.5 in order to better cope with a ClearClick regression involving older Firefox version, and pushed out 1.9.9.97 immediately with the compatibility flags back to Fx >= 1.5.0.6.
@Ramona: can you confirm you got successfully updated to 1.9.9.97?

Ramona wrote:How so ?

Most current versions of software do not run on operating systems that aren't supported anymore. Running outdated software on an outdated platform is not a good idea from security-wise standpoint. Firefox 2 has unpatched, gaping security holes and runs on Windows 9x with full rights (equivalent to an admin/root user on a multi-user OS), not to mention that DOS-based Windows don't offer any protection layer à la DEP/PaX.

In addition, the box is on a home LAN with NAT. An attacker would have to remotely "pwn" my modem-router, not an easy deal.

NAT never was meant as a security feature and different implementation offer a different "security gain" as a byproduct: http://hackademix.net/2010/01/08/nat-pinning-and-abe/

As for malware my local user might grab from the web or catch in emails, and try to execute locally, I've set it up with Avast.

Signature-based malware detection tools wouldn't protect in case of a targeted attack.

Giorgio Maone wrote:For the records, I had to mark 1.9.9.96 incompatible with Firefox <= 3.5 in order to better cope with a ClearClick regression involving older Firefox version, and pushed out 1.9.9.97 immediately with the compatibility flags back to Fx >= 1.5.0.6.
@Ramona: can you confirm you got successfully updated to 1.9.9.97?

As a test, I just now successfully installed NoScript 1.9.9.97 from AMO into a default Fx 2.0.0.20 profile. According to the AMO page, NoScript 1.9.9.97

Works with Firefox 1.5 - 3.7a6pre

@ Giorgio: As some people know, I continue to prefer Fx 2.0.0.20, for reasons not relevant to this topic, though I have the latest Fx available when desired.
I confirm that 1.9.9.97 installed easily on Fx2, and seems to run fine, although that is on Win XP SP2. Can't speak for 98 -- that machine died a few years ago, else I'd have kept it.

@ dhouwn: The fact that something wasn't *meant* as a security tool does not prevent it from having security benefits. NAT routers do indeed offer significant benefit OOB, and most can be configured to offer even more security (block UPnP, block WAN-side ping, etc., etc.). The fact that it isn't *complete* security (*nothing* is) doesn't alter the benefits. The same can be said of the HOSTS file: it wasn't *meant* as a security feature, but it certainly can be used to augment security (and block annoyances).

I doubt that there are very many evildoers out there writing exploits for Win 98. Why aim at 0.03 % of the market instead of 30-90+% (depending on whether your attack is specific to XP, Vista, or 7 versus it works on all of them)?

Just some mitigating comments. I'm not recommending running unsupported OSs or sw. (Do as I say, not as I do... and use multiple layers of defense, anyway.)

@Giorgio: confirmed, NoScript 1.9.9.97 downloaded from your site and installed successfully to FF 2.0.0.20 on Windows 98 SE.

Best and thank you very very much ! :=)


@ others : we coud go on discussing Windows (in)security for weeks, but this forum and thread don't seem to be the most appropriate place for it. Regarding the OS itself I'll add only one small remark which is not often noted : unlike NT derivatives, Win 9x is a hybrid 32/16 bit system, and fact is many system calls end up in 16-bit DLLs. Now the important point isn't about 16 versus 32, it's about segmented versus the terrible so-called flat model that allows rather easy exploitation of flaws like buffer overflows. In a Windows 16-bit DLL, even if the stack is overwritten there is no way for instructions to be executed from there... as there are simply no available code selectors . People who have been praising the flat model simply haven't got a clue. As for DEP and similar, they are only workarounds and not so efficient, at that. Just my 2 centavos...

--
Ramona

@ Ramona: Giorgio Maone did in fact generously create an off-topic forum, "Security", so if you do wish to share any thoughts there, feel free.