InformAction Forums

The way I had been using NoScript was, disallow Javascript by default on every new web page. Then, after I come to the conclusion that the website is legitimate, whitelist it. Now comes a report from a security researcher that even well-known websites from reputable publishers may spread malware.

http://research.zscaler.com/2011/05/gee ... t-kit.html

That is troubling. The threat can be mitigated by making sure to keep everything updated all the time, so that any known vulnerabilities are patched.

But it raises the question whether Javascript is simply too risky and should be turned off everywhere. However, some websites are simply broken without Javascript. Ideally web pages should "fail gracefully" when viewed with JS off, but quite often it's an "all-or-nothing" thing.

> even well-known websites from reputable publishers may spread malware

Of course. Could be anywhere, even here. They get hacked, a malicious ad, whatever.

> Javascript ... should be turned off everywhere

That works. Except for a very select few sites, it's off.

> some websites are simply broken without Javascript

True. But you get to know, or get a feel, when you'll need to allow something.

> web pages should "fail gracefully"

Ah, utopia. But then they'd just code malware to not need JavaScript. Would be harder, but they would still do it.

From http://research.zscaler.com/2011/05/gee ... t-kit.html

The malicious Iframe redirects victims to a malicious website hosting an exploit kit.

I've bolded the relevant quote from the article you linked, cocoapuff. Allowing geek.com would not have let the exploit through. In this case, you're sufficiently protected by using a fully patched Firefox (and maybe operating system too?) or not allowing malicious third-party domains. This issue is an example of why I warn people off blindly Allow or Temporarily Allow all this page.

Alan Baxter wrote:Allowing geek.com would not have let the exploit through.

Thank you for this important clarification. I hope I hadn't offended il dottore Maone by implying that I use NoScript just as a dumb toggle to turn Javascript off/on, I realize it's much, much more powerful than that.

You're welcome. I think I use my NoScript permissions pretty much like therube described above. If I need to allow javascript to activate some of the features I need on a trusted site, I'll manually Allow it to use javascript without any worry. If it's a site a visit often, I'll Allow it permanently.

I do not advise checking NoScript Options > General > Temporarily allow top-level sites by default. Some sites are hacked in such a way that you're redirected to a malicious top-level site. Many of the fake av sites are spread that way. I also keep my system and applications up to date with security patches. This will prevent most exploits from working even if they ever happen to get through somehow.

Alan Baxter wrote:Some sites are hacked in such a way that you're redirected to a malicious top-level site.

Now, that is worrying. Do you think that the SeaMonkey 'Warn me when websites try to redirect or reload the page' feature can combat that somewhat (using NoScript as well of course).

Do you have NoScript Options > General > Temporarily allow top-level sites by default enabled?
If not, then unless you happen to have the particular domain allowed which it redirected to (& presumably you would not), then it shouldn't be a concern.

The redirect block could be effective - for other reasons.