Browser scope security tab

Discussion in 'other security issues & news' started by Kees1958, Nov 18, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Attached Files:

    Last edited: Nov 18, 2010
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    tkx

    noscript enabled

    18-11-2010 11-24-06.png

    noscript disabled

    18-11-2010 11-40-05.png
     
    Last edited: Nov 18, 2010
  3. katio

    katio Guest

    Doesn't work without JS? To all NoScript haters: it's still useful even if put into global allow...
     
  4. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    does work without JS, is just the difference in the security score for FF, whilst Chrome does not have NoScript and scores higher
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I can't run it with javascript blocked. I press the icon on the security test page, and nothing happens. I guess javascript is needed in order to run the test.
     
  6. katio

    katio Guest

    Well I tried with firefox and noscript (not whitelisted) and the tests don't work for me at all...
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    me bad - 1st screen noscript enabled (as add-on) and temp allowed that page = score 15/17, 2nd screen noscript disabled (as add-on) = score 12/17
     
  8. tlu

    tlu Guest

    Yes, you have to allow js for the site. The 15/17 score applies to the situation where scripts are globally allowed in Noscript. See also http://hackademix.net/2010/11/13/browserscope-update/
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I am just opposing the nonsense the author tells at his website "Noscript makes the safest browser even more safe"

    When you are happy with Noscript, stay happy an keep on using it. No problem, but remember what the author did some time ago http://www.neowin.net/news/war-between-adblock-plus-and-noscript-money-on-the-table when he was using the (now closed backdoor in FF) reason https://bugzilla.mozilla.org/show_bug.cgi?id=519357 and fix https://developer.mozilla.org/en/Migrating_raw_components_to_add-ons explanation http://blog.mozilla.com/security/2009/11/16/component-directory-lockdown-new-in-firefox-3-6/
     
    Last edited: Nov 21, 2010
  10. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    :thumb: concur. this drive by sample https://www.wilderssecurity.com/showthread.php?t=287120 happens even with NoScript. as long as the basic security concept of FF is not improved, such as sandboxing and thread isolation for tabs/add-ons, there is little NoScript can do. it tells a lot about a browser being in need of such add-on at all
     
    Last edited: Nov 21, 2010
  11. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    That's just a link, has got nothing to do with JavaScript, it'll only prompt for download if you click the link, same happens with Chrome or any other browser.
     
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Chrome would download it - true - that after a download confirmation box gets displayed, but in FF it would get executed (as shown in the screen shot there), if no proper countermeasure in place. Bet that a lot of FF users do not know about NoScript, giving up after a short while as too invasive to their browsing habits, trouble to fine grain all the NoScript options. Another point is that any site being white-listed in NoScript can become poisoned with malicious code, in which case NoScript renders useless.
     
    Last edited: Nov 21, 2010
  13. katio

    katio Guest

    The correct quote is "There's a browser safer than Firefox... ...it is Firefox, with NoScript!". I didn't find anything where he was saying Firefox was the safest browser. And even if he did, he'd surely only wrote that before Chrome was released.

    I remember but I'm not unforgiving. Everyone screws up eventually. He made a big mistake but admitted it and since then he's continued to earn my and a lot of other user's trust again. Please read his full reply if you haven't:
    http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

    This isn't a drive by, it's a Trojan. Executing that means you don't have the least clue of security and deserve everything you get. And exactly the same would happen in every other default browser configuration.
    I agree that there's a need to improve the Firefox codebase. I'm pretty unhappy with mozilla's priorities:
    However your judgment of what NoScript can do is blatant nonsense. Please check how many exploits (real browser exploits not Torjans) are stopped by NoScript vs how many exploits are there that don't require scripting or plugins. Regarding your last comment: Chrome got NotScripts, so?
     
  14. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    and that would be the majority of the internet users today

    download gets executed in FF without user interaction, it does not in Chrome or Opera. it even commences the download in FF without consent, not so in Chrome or Opera.

    how many?

    so what? bare Chrome is safer than FF with NoScript. for any white listed site in NoScript become infected NoScript would be useless. NotScript for Chrome might not live very long if the Chrome dev keeping up the pace of fixes and new security measures. And neither would NoScript for FF, if the dev of the latter would focus more on the core security of the browser.
     
    Last edited: Nov 21, 2010
  15. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    No it won't, first it needs JavaScript, second there is a download prompt:

    prompt.PNG
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    what is the point in that? any browser with JS off will not be downloading it.

    disable flashget. then you will get a persistent JS box generated by the webpage, which will only go away when clicked ok to download (that is new, before the download would just commence when clicking the image - see also OP in the other thread) - so far all the same in any browser. now any other browser would ask download confirmation, but in FF does too with the exception that the download just commences (without user interaction - not pressed the SAVE FILE button) and it is even tried to open the file instead of saving

    19-11-2010 20-32-02.png
     
    Last edited: Nov 21, 2010
  17. katio

    katio Guest

    http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
    only counting critical vulns since 3.6.4 we have 29 in total
    19 would definitely be blocked by an enforced NoScript. Most likely quite a few more but that would require looking into it in more detail (for example "memory corruption" or "miscellaneous memory safety hazards" which doesn't tell me right away if it depends on plugins/JS).
    The only vulns that are definitely not blocked nor mitigated by NoScript are the dll loading issue (thanks MS for sloppy coding^h^h^h backwards compatibility). I consider that one not so critical as it's more of a local/lan attack (remote code execution would need to be staged which minimses its effect, i.e. zip file containing dll and html, then the user needs to be tricked to open that html). Second vuln that caught my eye was a buffer overflow in libpng (=not mozilla's code and not the first of its kind). A sandbox is the best security against these kind of exploits but EMET should take care of it as well.

    Opinions. Nothing more unless you give me something more.

    Anyway apart from security No(t)Script has it's uses. For devs, malware research, privacy or simple to extend battery life...
     
  18. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    You said:

    It will start downloading in temp folder(that's the way FF works) but it won't open it unless you tell it to.
     
  19. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    @ KATIO

    you are making the point perfectly - if the FF dev would not be so sloppy about the browser security there would be no need for something like NoScript (security features). it is no use in the case described here and may plant a false sense of security or being hip by using FF with NoSrcipt. It is for the browser vendor to implement proper security in the first place.

    the thread is about security not about whether No(t)Scripts benefits devs, malware research, privacy or simple to extend battery life...
     
    Last edited: Nov 21, 2010
  20. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that behavior allows the file to enter the system even prior consented (pressing the SAVE FILE button) by the user
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    IMO, Firefox extensions are the main reason why Mozilla developers won't implement serious security boundaries to Firefox. If users don't complaint, why should they bother?

    For example, would it be so damn hard to provide the equivalent to IE Protected Mode?

    The same way for Opera. For to long, stuff like it's the most secure really freaked me out. Let it be the main browser from night to day, and we'll all see how secure it really is.
     
  22. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    I disabled Flashgot and I now get this:

    secondtry.PNG


    When you press "Cancel", it'll be deleted.
     
  23. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    until then the file is being delivered to your system
     
  24. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Neither should be sandboxing and tabs/extension isolation as in Chrome. But you are right, as long as the FF user believes to use a safe browser there will be no change. perhaps only a decline of the global user base would make them change focus, yet I do not see this going to happen
     
  25. katio

    katio Guest

    I don't know how you conduct the test but that's how it looks here with a fresh install of 3.6.12, no NoScript, no extensions
    http://i55.tinypic.com/2hcgpqe.png
    http://i56.tinypic.com/b9byq1.png
    http://i54.tinypic.com/rbldu0.png
    It won't be executed until you manually open the download folder and double click on the exe.

    @vtol
    You don't NEED NoScript in order to use Firefox safely.
    Those security vulnerabilities offer a possible way to attack Firefox, "memory hazards" for example _may_ result in a buffer overflow but who says it will result in reliable code execution with ASLR, DEP and so on and not just crash the browser?
    Do you know if any of said vulns were actually exploited as a 0day and not just privately reported by white hats?
    You do know which vulns are the most exploited, right? It's Flash and Java (and of course those long patched IE6 ones). Chrome can't mitigate Java exploits at all and flash sandboxing is only 8 days old http://src.chromium.org/viewvc/chrome?view=rev&revision=66022
    which hasn't landed in stable yet.

    But the most common so called "drive bys" are Torjans as in our example. For ordinary user an AV will pick them up so they are safe again, sans sandboxing or scripting whitelist.

    Do you suggest Firefox is insecure because of all the vulns that are fixed all the time?
    Note how I defended Chrome here first: https://www.wilderssecurity.com/showthread.php?t=286831 The same goes for Firefox too, numbers != security.
     
Loading...
Thread Status:
Not open for further replies.