Page 1 of 1
Will NoScript stop recently discovered SVG Keylogger
Posted: Fri Jan 06, 2012 6:45 pm
by mcgyver5
A recent CNET article
http://download.cnet.com/8301-2007_4-57 ... ?tag=mncol
about a Keylogger attack via a browser SVG flaw mentions NoScript but seems to indicate that NoScript would not stop this.
I have "Block every object coming from a site marked as untrusted" checked. Wouldn't this prevent SVG objects?
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Fri Jan 06, 2012 9:42 pm
by therube
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Fri Jan 06, 2012 9:47 pm
by therube
Interesting.
"The basic premise of my research currently is scriptless attacks, meaning attack vectors working in a post-XSS world," Heiderich said in an e-mail. He defined a "post-XSS" world as one where the cross-site scripting attack had been more or less minimized by technologies like sandboxed iFrames, Mozilla's e-mail client Thunderbird and Firefox's Content Security Policy, the JavaScript blocking browser add-on NoScript, and Windows 8.
And if done, then it makes the web far more dangerous.
At present, you've got to think that for the average badguy, JavaScript is just too easy to go scriptless.
In any case, you know scriptless will come, just a matter of time & cost/benefit to the badguys.
If NoScript blocks SVG (don't know if it does?), if SVG is considered an Embedding, where Forbid other plugins would cover it, then you could be protected in that respect?
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Fri Jan 06, 2012 10:02 pm
by mcgyver5
thanks, I fixed the link. When I check "Block Every object coming from a site marked as untrusted", all SVG elements on pages are blocked, as far as I can tell...
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Sat Jan 07, 2012 4:22 pm
by Giorgio Maone
NoScript has been providing specific protection against this kind of attack since
before it was revealed:
Code: Select all
v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Sun Jan 08, 2012 4:33 am
by GµårÐïåñ
As Giorgio already pointed out, this is already moot and has been for a while. Unless a POC showing currently it can defeat NS, we are in the clear. Hence why people should beware on Chrome and such browsers WITHOUT NoScript.
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Sun Jan 08, 2012 10:04 am
by Tom T.
GµårÐïåñ wrote:... Hence why people should beware on Chrome and such browsers WITHOUT NoScript.
Thank you for pointing that out. I'll add it to the "Chrome vs. Fx + NS" thread.
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Tue Jan 10, 2012 2:24 am
by GµårÐïåñ
Tom T. wrote:Thank you for pointing that out. I'll add it to the "Chrome vs. Fx + NS" thread.
Pile it on baby ....
Re: Will NoScript stop recently discovered SVG Keylogger
Posted: Tue Jan 10, 2012 3:20 am
by Tom T.
I should have linked that thread for anyone watching this one.
http://forums.informaction.com/viewtopi ... =19&t=7727
My addition that you inspired.
And catch the
one right above it, from info Giorgio linked to in the "NS Sightings" topic.
