New Net Threat: Infectious Web pages

ARTICLE

 

I guess if one would allow javascripts for a web site once and it after that got infected it would beat Firefox+noscript extension? Or does the article refer to other things than javascripts?
That is one reason why one should keep a layered defense with a decent firewall that can handle all the leaktests, AV and maybe one HIPS or CIPS...

 

Hello,
If you're using Firefox, you can just relax.
And if you're using Linux, you can start relaxing other people.
Mrk

 

lol, ok I´ll keep my pants on then

 

Use "Temporary allow"

 

Yeah I mostly do that if the page has something I want and it demands JS enabled, but not here at wilders and a few other pages I visit regulary that need JS to function. So if wilders where hacked the way explained in the article I guess, at least in theory, it could happen..?

 

Hello,
You don't need JS to use Wilders...
Mrk

 

That is true, unless I want to use the editing functions when writing posts. But thats why I permanently allow some very frequently visited sites, to do the extra stuff.

 

That's true but I run Opera with js disabled and allow on a site by site basis, but a hell of a lot of sites ar almost unworkable without js, links don't work, content missing etc

 

Hello,
In my experience, only about 1-2% of websites require JS to function properly, and usually, they are inferior sites, content and design wise.
Mrk

 

I have Script Defender as a warning for .JS and .JSE-files. Is that enough dear experts ?

 

I dont know if it is something Opera specific but it is very rare when using Firefox + noscript that you need to have JS allowed to get the information you want. Maybe some ads or other irrelevant content dissapear, nothing important, but then again I am not a big fan of sites (or rather web designers) that need alot of bells and whistles to make them selves heard. That usually indicates that they dont have anything worth while to offer in the first place.

 

Remember, SD doesn't monitor web-embedded .js files which are interpreted directly by the browser.

SD looks just at those on the HD that you d-click on.

Blocking web-embedded scripts has to be done by the browser.

I think this was discussed in another thread recently...

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

OK. In that case I only have to disable Java and JavaScript in Firefox.

 

I think u need not worry. DefenceWall will protect from browser related scripts.

 

See this thread

 

I have read it before but it,s mostly above my level.
Well I do have an idea that XSS will not be prevented by a sandbox( am I right?) but the question is " Should I be worried?"
My answer for myself-- probabaly not.
BTW I don,t know of any good measure aginst XSS so far ( software-wise).
Any inputs?

BTW I stand corected as Eric asked about JS etc( not about XSS) versus ScriptDefender and I think in the presence of DW, script defender is not needed. ScriptDefender will not protect against XSS as well. Correct?

 

Script Defender (and similar tools) will only protect against scripts interpreted by the Windows Scripting Host. It's ineffective against scripts embedded in other files (this trick doesn't affect Wormguard) and scripts interpreted by the browser (Wormguard is ineffective here too).
The best measure against XSS is NoScript. Firekeeper may help too.

 

What about other browsers, like Opera?

 

Opera and IE both have per-site security settings similar to the NoScript Firefox extension: Opera calls them "Site Preferences", IE calls them "Zones".
Anyway, they're far from being as well designed, usable and tested as NoScript.

Furthermore, they don't offer any protection against XSS targeting your JavaScript enabled sites, so they're almost useless from a security standpoint.

Specific anti-XSS protection on the client side is a feature you can find only in NoScript, AFAIK.

 

https://www.wilderssecurity.com/showpost.php?p=1002745&postcount=41

Mike