Will NoScript stop recently discovered SVG Keylogger

mcgyver5 · Post by **mcgyver5** » Fri Jan 06, 2012 6:45 pm

A recent CNET article http://download.cnet.com/8301-2007_4-57 ... ?tag=mncol
about a Keylogger attack via a browser SVG flaw mentions NoScript but seems to indicate that NoScript would not stop this.

I have "Block every object coming from a site marked as untrusted" checked. Wouldn't this prevent SVG objects?

Post by **therube** » Fri Jan 06, 2012 9:42 pm

Looks like the board mangled the link.
Lets see if this sticks ...

Keylogging threat could lead to more attacks, say researchers

or

http://download.cnet.com/8301-2007_4-57353483-12/keylogging-threat-could-lead-to-more-attacks-say-researchers/

Yep.
And yep again.

Post by **therube** » Fri Jan 06, 2012 9:47 pm

Interesting.

"The basic premise of my research currently is scriptless attacks, meaning attack vectors working in a post-XSS world," Heiderich said in an e-mail. He defined a "post-XSS" world as one where the cross-site scripting attack had been more or less minimized by technologies like sandboxed iFrames, Mozilla's e-mail client Thunderbird and Firefox's Content Security Policy, the JavaScript blocking browser add-on NoScript, and Windows 8.

And if done, then it makes the web far more dangerous.
At present, you've got to think that for the average badguy, JavaScript is just too easy to go scriptless.
In any case, you know scriptless will come, just a matter of time & cost/benefit to the badguys.

If NoScript blocks SVG (don't know if it does?), if SVG is considered an Embedding, where Forbid other plugins would cover it, then you could be protected in that respect?

mcgyver5 · Post by **mcgyver5** » Fri Jan 06, 2012 10:02 pm

thanks, I fixed the link. When I check "Block Every object coming from a site marked as untrusted", all SVG elements on pages are blocked, as far as I can tell...

Post by **Giorgio Maone** » Sat Jan 07, 2012 4:22 pm

NoScript has been providing specific protection against this kind of attack since before it was revealed:

Code: Select all

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
  .mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Post by **GµårÐïåñ** » Sun Jan 08, 2012 4:33 am

As Giorgio already pointed out, this is already moot and has been for a while. Unless a POC showing currently it can defeat NS, we are in the clear. Hence why people should beware on Chrome and such browsers WITHOUT NoScript.

Post by **Tom T.** » Sun Jan 08, 2012 10:04 am

GµårÐïåñ wrote:... Hence why people should beware on Chrome and such browsers WITHOUT NoScript.

Thank you for pointing that out. I'll add it to the "Chrome vs. Fx + NS" thread.

Post by **GµårÐïåñ** » Tue Jan 10, 2012 2:24 am

Tom T. wrote:Thank you for pointing that out. I'll add it to the "Chrome vs. Fx + NS" thread.

Pile it on baby ....

Post by **Tom T.** » Tue Jan 10, 2012 3:20 am

I should have linked that thread for anyone watching this one.

http://forums.informaction.com/viewtopi ... =19&t=7727

My addition that you inspired.

And catch the one right above it, from info Giorgio linked to in the "NS Sightings" topic.

InformAction Forums

Will NoScript stop recently discovered SVG Keylogger

Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger

Re: Will NoScript stop recently discovered SVG Keylogger