Does EMET = no need for NoScript?

I'm trying out EMET (Enhanced Mitigation Experience toolkit). I've set it to block Java exploits. Do you think I could get rid of NoScript? Using NoScript is a bit of a pain but I absolutely can't bear the feeling of surfing the internet and allowing whatever javascript I run across to do whatever it wants. I've run into too many Click Jackers lately. Also I've had to fix too many of my friends computers because they caught a virus.

 

If you remove NoScript, what will you do about Flash/Silverlight, IFrames, webbugs and cross site scripting, amongst other things? Also,How will you differentiate between trusted and untrusted sites?

EMET is a useful adjunct for security, but it doesn't replace Noscript in firefox.

 

Hey you guys, could you please tell me the benefits and the asspains of using NoScript? Plus is there a version for Chrome?

Thanks!

 

personally, i think NoScript is a PITA.
it's a kind of HIPS for java script.

yeah, i think there's something similar for Chrome, it's called Not Script or somesuch.

 

What setting is that ?

 

Thanks mate!

 

Add the executables from Java to the protected applications list

 

Most browsers interpretate the javascript through their own engine, EMET-ing Java does not add protection. It is confusing though Javascript, Java, Java 2 Enterpise Edition, etc.

 

Thanks for the answer. I'll definitely keep it. Like I said, I feel naked without it.

NotScript in Chrome is a very poor copy of NoScript. With NoScript you can control each java element on a page individually. With NotScript all you can do is enable or disable java for the whole page. That's why I'm so stuck on Firefox.

I also use Web of Trust. It shows me on the search page if a site is unrtustworthy. I just don't go there.

 

Java; Javascript

Obviously, adding Java under EMET protection won't prevent web-based attacks that need javascript enabled.

To prevent attacks via web browser, add the web browser process under EMET protection. Considering you use Firefox, also add the plugin-container.exe which handles plugins in Firefox.

To make life even harder to the attacks keep NoScript.

 

These are exe's you configure in emet to add java. Posts 8 & 9.

https://www.wilderssecurity.com/showthread.php?t=284143

 

But, that will only mitigate Java exploits, not javascript. Yes, add Java as mentioned; but, keep NoScript, because it allows you to control javascript, among other things.

-edit-

Considering you're using Firefox, regarding plugins like Adobe Flash Player, you only need to add plugin-container.exe to EMET, which will handle Flash Player.

 

When you run your browser (e.g. IE8 or Chrome) in protected mode AND protect it with EMET2 and use TrendMrico Browser Guard (for javascript containment) and 1806 trick (in IE8/9), I have not been able to breach this. PS I am willing to test any javascript based exploit written by Giorgio only not using Firefox

This article may be old, but still a nice read. http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/

 

Java and Javascript are 2 different things....don't get confused over that.

Whether or not you 'need' NoScript is hard for anyone to judge...you've got to decide that on your own. As far as I'm concerned, there are 3 different school of thoughts (or 'camps') on the matter:

1. Those who find it redundant in terms of 'security' aspects when put into practice. Wladimir Palant is one of them.

http://adblockplus.org/blog/usability-vs-security
http://adblockplus.org/blog/blacklists-whitelists-and-security

2. Those who find it essential or highly recommend it for 'security' purposes. Of course, Giorgio Maone is one of those.

There was this thread where the 2 of them 'debated' upon this issue. You can look at it starting from this post:

https://www.wilderssecurity.com/showpost.php?p=961785&postcount=3

3. Those who use it for purposes other than (or apart from) security. These are the ones that acknowledge it's usefulness and yet realize it's not an end cure for everything. They don't necessarily think it's a 'must-have' for security but recommend it for those who're willing to gain a bit of control for whatever reasons thinkable. I believe our member, Mrkvonic is one of those.

http://www.dedoimedo.com/computers/noscript-use.html
http://ask-leo.com/is_javascript_dangerous.html

I have also written a (long) post to clear some NoScript misconceptions here:
https://www.wilderssecurity.com/showpost.php?p=1812239&postcount=35

In short, the answer lies within you.

As for EMET, plain and simple - it's useful so keep it if you want (recommended). However, it doesn't serve as a direct replacement for NoScript or any other JavaScript (and other stuffs) blocking capabilities within any browser or any add-on for the matter. Right....I'm including Chrome, IE, and Opera here too in this list...

 

Not really a misconception. I guess it depends on how someone views it.

I view it from this angle: Unless the user* knows which domains/URLs should be white-listed at a given moment, and here I'll be merely focusing on javascript, then I'm pretty much sure everything will be white-listed, before the user decides not to want it any longer.
I've tried that avenue in the past with relatives and friends, when I made them run Firefox with NoScript ~3 years ago.
I must confess that I never really looked at it to see its full potential, but all I really cared, within the context it was needed for, was for javascript.
They always had to have a trial and error approach with it, so that they could white-list javascript for trusted domains. In the end, 99% of times they would end up enabling javascript for every domain in NoScript.

That's why I mentioned the word placebo in the thread you mentioned, in my quoted comment.

Which is why I soon started to look for something that would actually prevent attacks relying or not on javascript to be enabled, without breaking web browsing experience; this meant javascript to be fully enabled, only preventing attacks relying on it and other type of attacks, as well.

* I'm speaking in general terms, obviously.

 

If you are concerned with this, maybe some research into how Rmus does things would give you yet another option.

Sul.