Discussion in 'other anti-malware software' started by ronjor, Jul 1, 2015.
Hm, that site writes:
While I generally agree to keep the list of whitelisted sites as short as possible that quoted assertion is a bit overblown because:
Nevertheless the whole story is another evidence why the scope-based approach in uMatrix is clearly superior: If you allow, e.g., googleapis.com in the domain-specific scope for xyz.com, it remains blocked for all other sites. This reduces the attack surface considerably.
If you're also using anti-exploit tools, then this isn't really a big deal.
What anti-exploit tools? Could you elaborate?
If user doesn't want the default whitelist in NoScript then place this line into your prefs.js file located in the
browser profile folder.
All other entries (e.g.) about:addons, about:memory, etc. with this line:
Now you should see no entries listed in NoScript's Whitelist.
Meh, remove them all and start your own... end of story.
First the "Phone home" story and now this, it is definitely worrisome signs and an indicator on the direction NoScript seems to be heading. On the subject which one offers a better security, well that's still debatable since many claim that uMatrix and the likes are just a replacement of NoScript's most basic features and nothing more. (Anti-XSS, ABE, Clickjacking, XSLT etc)
I no longer use NoScript...
Sorry, I forgot to reply. But I was talking about tools like MBAE and HMPA, who are designed specifically to block exploits. I wouldn't rely on script-blockers like NoScript for the simple reason that they will always break stuff. You're better off with tools like Adblock Plus and Ghostery, they will block most third party trackers and ads, that are often used in exploit attacks, so called "malvertising".
Thanks! I see this differently, though. Most sites which I open are sites which I visit frequently. It's no problem to configure my blocker (uMatrix) to not break them. Otherwise I prefer a default-deny policy as ABP and Ghostery are using lists that cannot be comprehensive enough by all means. And blocking unknown/new threats at their root is better than relying on 3rd party tools, IMHO.
Ghostery and AdBlock Plus also break stuff, just not as harshly as NoScript or Request Policy/UBlock Origin do... if an addon doesn't break something along the line, then it's not being utilised to its full potential (similar to the saying, "unused RAM is wasted RAM"). It all comes down to how hands-on you wish to be and how much trust you place in the stuff you use...
Ghostery and AdBlock Plus - bottom of the barrel, good enough for the novice...
NoScript, Request Policy, UBlock Origin - more for the hands-on user...
EDIT: seriously, who uses default whitelists nowadays... with all the addons people are installing, using VPNs, getting hooked on anti-x programs... and then to leave a default whitelist untouched? Come on... drop the ball much?
Yes correct. But as soon as you browse to other sites than your favorites, it will start to become annoying, especially to "normal" users. The only reason why I'm using script-blockers is for speed, not for security. Because at some point, you will always have to allow some script to run, just to make stuff work. That's why I said that you can rather rely on anti-exploit tools.
Correct, but you can't compare them with script-blockers, who will block all third party scripts (depending on configuration), and break a whole lot more. And weeks ago, a couple of popular Dutch news sites (that I visit every day), were serving malware, guess what, I didn't notice a thing (I was using FF), even without running any anti-exploit tool. This means that ABP and Ghostery most likely took care of the problem.
"most likely" is a strong phrase... especially in 2015...
NoScript Tip: Check the white-listed sites listing (by ghacks)
OK...so it looks that it shouldn't be scary due to explanation in NoScript's FAQ...
An interesting find on NS forum
BTW...an interesting thread and interesting ideas because I'm "long-time user" of NS which is for me the most important Firefox's addon.
A good reminder to check against whatever one white-list.
As I stated in my post,
The point of my post was to explain at a basic level how script injection works and why programs like EMET and MBAE are irrelevant in terms of script control.
I'm not sure what you mean with that. But to clarify, I'm using an old version of both FF and Flash, and my security tools also didn't alert about a thing. So the chance is quite big that ABP and/or Ghostery took care of the problem.
I wasn't talking about attacks like XSS, I was talking about scripts that are being used to exploit browser vulnerabilities. When it comes to "malvertising" then ABP and Ghostery will do the trick. When it comes to malicious scripts trying to corrupt browser memory in order to make it execute malicious apps, then you can choose between more "aggressive" script-blockers like NoScript, or you can simply use anti-exploit tools, without having to worry about breaking web-pages.
Separate names with a comma.