Drive-by exploits

Discussion in 'other security issues & news' started by moontan, Apr 6, 2012.

Thread Status:
Not open for further replies.
  1. moontan
    Offline

    moontan Registered Member

    are there any other browser vulnerabilities beside javascripts, Flash and Java?

    seems to me that since the browser is the most vulnerable it should be the first line of defense against nasties.

    thoughts?
  2. Scoobs72
    Offline

    Scoobs72 Registered Member

  3. moontan
    Offline

    moontan Registered Member

    right...

    which means NoScript does not protect against all of this.

    tnx m8.

    food for thoughts.
  4. moontan
    Offline

    moontan Registered Member

    i think i'll switch to Chrome and ScriptNo.

    i don't like ScriptNo as much as NoScript but Chrome has a sandbox.
    can't wait for Firefox to have a sandbox.
  5. TonyW
    Offline

    TonyW Registered Member

    Not only that, but if you whitelist a site in NoScript as one you trust to allow scripts to run and it gets compromised, then NoScript is no help then either...
  6. Cudni
    Offline

    Cudni Global Moderator

    from
    http://noscript.net/faq#qa1_11
    * You may ask, what if site I really trust gets compromised? Will I get infected as well because I've got it in my whitelist, ending to sue as you said?
    No, you won't, most probably. When a respectable site gets compromised, 99.9% of the times malicious scripts are still hosted on a different domain which is likely not in your whitelist, and gets just included by the pages you trust. Since NoScript blocks 3rd party scripts which have not been explicitly whitelisted themselves, you're still safe, with the additional benefit of an early warning :)
    *

    and controlling javascript is simply another layer of protection so for 0.01% when noscript doesn't help with malicious script, other layers; AV, OS should and do help.
  7. TonyW
    Offline

    TonyW Registered Member

    It goes without saying that various protection layers, including the ones you mentioned, go a long way to keep one safe. :)
  8. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    What is the logic behind that "99.9% of the time malicious scripts are still hosted on a different domain"? If a hacker is able to modify what is served up to your browser when you visit this compromised site, why would they not serve up the malicious scripts from that same site?
  9. moontan
    Offline

    moontan Registered Member

    because the bad stuff that comes from other sites is mostly embedded in advertisements, from what i can tell.

    it's easier to hack an add that a specific web site.
    and more productive as well because with that one infected add you can contaminate many websites.
  10. Baserk
    Offline

    Baserk Registered Member

    ^^I'd assume that when Maone wrote; 'When a respectable site gets compromised, 99.9% of the times malicious scripts are still hosted on a different domain', he means an ad server was hacked and not the actual website itself. So when you only allow the main site and not all other domains offering non-essential garbage/ads, you're OK.
    I could be wrong though and like with a recent case in NL where the most popular news site itself was hacked and readers were treated to a banking trojan, Noscript wouldn't offer any consolation.

    edit; Note to self; write faster than moontan.
  11. moontan
    Offline

    moontan Registered Member

    Baserk:
    hahaha! :D
  12. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    OK, I was thinking a straight-up direct compromise of the target site itself. I get the third-party context.

    http://play.typeracer.com/
  13. trismegistos
    Offline

    trismegistos Registered Member

    If you look on those lists, many are XSS(Cross-Site Scripting) and javascript redirects.

    Otherwise, it still can protect. Most of these exploits on the browser side would still rely on scripting to cause memory corruptions in order to run arbitrary codes...

    For e.g. an exploit targeting this vulnerability http://www.mozilla.org/security/announce/2010/mfsa2010-19.html or the Mozilla Foundation Security Advisory 2010-19 Dangling pointer vulnerability in nsPluginArray would still require scripting. And so their suggested workaround was to disable scripting.

    ... And so NoScript would definitely help. Exceptions would be fonts, parsing vulnerabilities like for e.g the various image parsing vulnerabilites like jpg or SVG exploits which all have been patched. WMF image and embedded fonts vulnerabilities are mostly Windows or system based. These exploits would be able to push the payload even if you globally disable scripting and uninstall plugins. And these type of non-script based exploits are mostly served from scripting redirections from other domains, thus, NoScript would still definitely help. Sandboxing, memory corruption protections(EMET) and AE/SRP/Applocker/HIPS all provide additional layers. 99% of the time,these payloads are executables and so are easily blocked.
    Last edited: Apr 7, 2012
  14. BrandiCandi
    Online

    BrandiCandi Guest

    To add to what trismegistos said, here's a snippet from the noscript faq page:

    I'm always dubious of any security feature that claims to be "bullet-proof," but I think the point here is that noscript doesn't just blindly trust even the whitelisted sites.
  15. tlu
    Offline

    tlu Registered Member

    To add what BrandiCandi said, here's a snippet from the Noscript features site:

    That's very important, and I think that many people are not aware of it.
  16. tlu
    Offline

    tlu Registered Member

    I forgot to mention another important aspect from the same link above:

    This means that by default only suspicious patterns coming from other sites (even if they are whitelisted) are checked. However, if you set that value to 3 even suspicious patterns from the same site are checked, which is, e.g., relevant for forums where a posting can contain such code.
  17. moontan
    Offline

    moontan Registered Member

    tnx everybody for the inputs! :thumb:
Thread Status:
Not open for further replies.