java, javascript, and flash as security risks

I have recently added noscript to my firefox browser. If I correctly understand what it does, noscript stops javascript from operating on each website you visit (unless you authorize for that site).

Using it for a few weeks now, it is making me think a bit about some things which I realize I don't understand very well. For example, what is the difference between java, javascript, and flash from a browser security standpoint?

The Opera browser gives you the choice to enable/disable:
GIF/SVG animation
Sound in webpages
Java
Plugins
Javascript
referrer logging

Whew! What does all this mean?

I know that the most secure computer is one that is unplugged, but the browsing sure is slow. So each browser needs to find a compromise between unplugged and wide open that makes browsing a workable, yet as secure as may be practical, experience. I don't visit ersatz/porno sites, but these days it is very easy for crackers to set up a poisoned site that looks very legit and may be hosted at a first class ISP.

Does anyone know of one or more tutorials or extended discussions covering this? Anyone have a quick summary? TIA

 

Just to answer some points, Java is Sun Java which comprises applets or little programs giving functionality on a website. Java script is quite different but is widely used by web sites (and malware exploits!), it is not as dangerous as Sun Java and it can be quite limiting on some sites if you do not allow it.

Flash Player by Macromedia (now adobe) is an Active X component, it should be safe in itself but allowing Active X in general can be risky.

Plugins is more of a generic term for these little add-on programs that add function to the browser.

The Referrer is a heading that can be transmitted when you click in a site to go to another site. It isn't a security problem and is needed in some sites, but could have privacy considerations in some circumstances (by passing on info about the site you have just come from).

I can't say much about Firefox I'm afraid 'cos I only use IE; but if you block Active X, Java, vbs script and Java script through your browser you greatly limit the possibility of being exploited.

 

@ TopperID

When you said (it is not as dangerous as Sun Java) i think you meant it the other way round, that Sun Java is not as potentially dangerous as MS Javascript/Active scripting.

Regards,


StevieO

 

Probably, but Java applets have the potential to do more and have been regularly exploited on old versions of Java, but just now there seem to be a lot of exploits relying on Java script - but perhaps that is because Java script is more commonly used for correct functioning of sites?

 

VBS script, so one more new thing for me to learn though I have heard it before. How u compare it to JS and how to disable it in Opear and FF?
Has it something to do with Windows Scripting Host?

Thanks

 

Hello,

Saying that java is more / less dangerous than javascript is simply wrong. Any programing language can do anything, within the limitation of operation system it runs on.

Furthermore, (sun) java is perceived less dangerous than javascript because the (sun) java client on Windows runs with reduced privileges ... that does not mean that code is benign. It can be very pristine or very malicious. But it will do what the system tells it do. Just like same malware on limited user account will do less damage or not run at all, regardless of what the code says. The same applies for Linux etc.

Java, javascript and flash are not security risks. Programs that render the commands in these languages / formats are. A secure browser will be less likely to compromise the system based on the input it gets.

Since browsers are never likely to be 100% secure, you have the extensions that allow these plugins to be disabled.

Mrk

 

Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone
Article here.

A new tool too dangerous to give away can turn any PC - Windows, Mac, Linux - or any device with a browser into a site attacker. The tool, called Jikto, is a Web application scanner that searches for cross-site scripting vulnerabilities. Billy Hoffman, a security researcher with SPI Dynamics, demonstrated what the tool could do at the ShmooCon hacker convention March 24. Namely, Jikto, which is written in JavaScript, can surreptitiously latch onto a browser that has JavaScript enabled.

After silently inserting itself to run inside any browser - be it that of a PC, a cell phone - Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.

It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers. This is something that JavaScript wasn't supposed to be able to do, but unfortunately, Hoffman said, it can.

A very good reason to be careful where you surf, and to have NoScript w/FF- which I do!

-- Tom