Firefox with NoScript vs. Chrome?

I doubt whether ScriptNo or NotScripts have the same efficacy as NoScript. I couldn't even get ScriptNo to work properly. I used to switch the JS off in Chrome by default & use the whitelist but then the extensions wouldn't work properly. I think a well *tooled-up Firefox with a competent user can be every bit as safe as Chrome in the real world.

*Sorry, I'm watching a re-run of The Sweeney as I write this & have gone a bit Sweeney Todd. By 'tooled-up' I mean well defended/advised by various extensions/add-ons such as WOT, NoScript, ABP, FlashBlock, Flagfox, Certificate Patrol etc.

 

No amount of extensions will match the core security of Chrome. That's something Firefox will have to address on their end.

ScriptNo is working fine for me. It is (legitimately) blocking things. And it seem sto have further functionality beyond NoScripts with its malware blocking.

 

The sandboxing is important.

I must have broken it.

 

I know some people have had issues if they're on stable with experimental addons.

 

I didn't think it was an experimental extension (aren't they all a bit anyway ), I honestly think I broke it when I moved its GUI icon. It worked at first then just stopped blocking JS. I have experimented a bit with it, both on Iron & Chrome portables, including not moving the GUI icon, & it still breaks. It may be an extension conflict but I just can't ascertain which one it is. If it is, of course.

 

Yep, it's experimental. If you installed it from the chrome web store... then it isn't.
http://code.google.com/p/scriptno/downloads/detail?name=scriptno-experimental.10546.crx&can=2&q=

That's the link you need to get it from.

EDIT: Don't expect it to work with iron necessarily.

 

OK thanks for the link, but I broke the bog-standard version, god knows what will happen to the experimental one!

EDIT: Nope, even the experimental one is knackered! Technically, I shouldn't even be able to write this.

It did block the emoticon though at first ...

EDIT 2: I eventually deleted the portable version of Chrome from the flashdrive as it & the experimental ScriptNo crashed & burned, I couldn't even uninstall ScriptNo after a while. I'm OK as I have an identical copy of Chrome on another flashdrive. So I can copy it back. I don't know what exactly went wrong, I'm guessing a conflict with another extension. I can live without ScriptNo I reckon.

 

After using ScriptNo for a bit, I think it works well. I love the location of the notifications compared to Firefox, but the developer really needs to make the UI a little more... intuitive.

Just to be sure, I also have Chrome limited by D+. Everything is on Block with create process on ask. (For running downloaded executables.) It probably can't get much more secure than that.

 

I see that's from November 2010, Phoenix Exploit Kit version 2.1.

Did some more searching and found than an even older one (Phoenix kit, version 2.0) also had successful Chrome loads:
http://www.m86security.com/newsImages/TRACE/ph3.png

and Eleanore exploit kit from January 2010 exploited early Chrome builds 1-4:
http://www.krebsonsecurity.com/wp-content/uploads/2010/01/bots1.jpg

But from May, 2011 (Phoenix kit, version 2.7), only 57 browsers identifying themselves as Chrome were exploited out of 15000+.:
http://labs.m86security.com/wp-content/uploads/2011/05/panel2.png

Or for a Blackhole Exploit kit in June, 2011, 10 out of 800 Chrome visits:
http://labs.m86security.com/wp-content/uploads/2011/06/Statistics.png

Something quite significant changed somewhere along the line. What did those 57 Chrome browsers do wrong? Or were they in fact other browsers using false browser IDs?

Just now loaded the latest Chrome with Java 6u18 x86 and ran a Blackhole Exploit Kit, and selected 'Run this time' for the out-of-date Java plugin when prompted. No malicious files were downloaded or executed. I left it for 10 minutes, and it just sat there. Nothing new added when viewed under Autoruns.

Did the same in IE9, and straight away malicious files were downloaded and executed:

File: AppData\Local\Temp\jar_cache5765745655011011425.tmp 14A3C72D67C4A5D1F26717DEE0D64ABB
MD5 : 14a3c72d67c4a5d1f26717dee0d64abb
SHA1 : 1bffbd54f6e7c10839f668eb21051a3549166231
SHA256: 446e12df1f02a8896447cb07e1bef179c64e659bf2941b14dabe22ee339df556

File: AppData\Local\Temp\jar_cache8870548595707131794.tmp B9CA4FA1430D5836DDB8617014C1F3D8
MD5 : b9ca4fa1430d5836ddb8617014c1f3d8
SHA1 : 8774e68c0f9dffaf46fb693aec6bbf2c1428f7f4
SHA256: 9b0ed4160371f272f28828071260f89a3901ee3ce7187bf86d1a20ac4fcf2f7e

File: AppData\Local\Temp\0.6558744152391842.exe
MD5 : 227265d32f2b0f47a9d1b07209bd5754
SHA1 : cc1ab28f11efc0b9f0ad0c4d860fbc756e52236c
SHA256: 534afb3729cd1d37bdb843e727d851de67740db2e7d0f7c173556253f72698fa

File: AppData\Local\Temp\0.7036971323357667.exe
MD5 : 474c4f6b496f27a8e9e120a955a3ce49
SHA1 : eafed1b8be152d15373d4a2544999bfdb19c4618
SHA256: ca185178e1171beda7a9469e9131c5065de5c9047d41cae9fed9d103c91edc15


If you find an exploit kit that can exploit the latest Chrome, please let me know (feel free to PM the URL). I'll see if I can find Java 6u12 somewhere in order to test with that, as that's what you used in your post from January, 2011. Edit: 6 update 12 makes no difference; perhaps there is some kind of invisible blacklisting as HungryMan suggests.

 

That is VERY strange. I have not heard anything about Chrome securing Java.

EDIT: Strange, though comforting if you're a Chrome user =p

 

Yes, you have
https://www.wilderssecurity.com/showpost.php?p=1953238&postcount=74

I didn't make it clear enough in the post: nothing happened with the exploit kit using Chrome whether I enabled or disabled Java, whether using old (vulnerable) versions or the current version.

 

I thought that you'd denied it in that one. Whoops.

I still haven't heard of them actually protecting Java in some way. I mean, I see that you've shown this but I haven't seen any information on the why/how.

 

Well, I'm glad you have had more success with it. I only tried the experimental on a portable version of Chrome & it fried it. After that I discovered I couldn't even open my hard drive version of Chrome. I cured that by uninstalling & re-installing. I must be allergic to ScriptNo. Everything is back to normal now thankfully.

 

I think it's likely that the Java payload was blacklisted by Chrome and that's why it didn't download. I do not think that Chrome does anything to prevent exploits in Java.

 

Do you have any information on how this works? and how this blacklisting can be bypassed?

All the browsers warned of the site except Chrome IIRC, so you may be right.

 

Chrome uses the Safebrowsing API, just like Firefox. Chrome also has an additional blacklist for specific files (instead of just the typical blacklist of urls.)

It's a blacklist so it's easily bypassed by modifying and releasing a new version of the malware.

 

I mean how does the user bypass it. I've disabled the 'Phishing and Malware Protection' but still cannot exploit it with a vulnerable version of Java.

 

Oh. That would be how to bypass it. If that's not the case... I don't really know.

 

Only finding proof against the stats and my own experiences using Chrome on exploit kits with Java:

From 2008 report, 'The Security Architecture of the Chromium Browser'.
http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

So that's at least how it was in 2008.

From http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ

So why is Chrome doing so well in the later exploit kit stats? Why am I the only one I can find on searches even commenting on this? The only mention of Java in relation to exploits in Chrome is either old stuff from 2010 or earlier, the supposed Vupen bypass from earlier this year, or the controversial choice of Chrome to prompt the user for Quicktime and Java.

Edit: Could the prompt in Chrome about out-dated Java be having such a big effect? Or prompting before allowing Java to load on an exploit kit?

Still doesn't explain why I can't find an exploit to work on Chrome with out-dated Java, despite them all working on other browsers. I'll maybe try using a vulnerable version of Adobe PDF reader and Chrome and see where I get. No point of course if there's some kind of sneaky blacklisting that can't be bypassed by the user...

 

Yeah, no clue.

 

Thanks for that, I missed it. I have found an issue with the experimental version though. Whenever I open majorgeeks.com it causes an "aw snap" browser crash when using either Chromium or Iron portable. If I uncheck <script> in the options the page will open. The non-experimental version does not cause this crash.

 

Have you whitelisted it?

 

Adding majorgeeks.com to the whitelist worked for both Chromium and Iron portable. Thanks.

I see the browser crash was one of the "known issues".

 

Try deleting all Safe Browsing files from Chrome's profile folder.

 

No, but AdBlockPlus if you're using the Malware Domains subscription. So no neeed for Noscript to offer the same.