java, javascript, and flash as security risks

Discussion in 'other security issues & news' started by Odyssey, Mar 18, 2007.

Thread Status:
Not open for further replies.
  1. Odyssey

    Odyssey Registered Member

    Joined:
    Jul 31, 2004
    Posts:
    7
    I have recently added noscript to my firefox browser. If I correctly understand what it does, noscript stops javascript from operating on each website you visit (unless you authorize for that site).

    Using it for a few weeks now, it is making me think a bit about some things which I realize I don't understand very well. For example, what is the difference between java, javascript, and flash from a browser security standpoint?

    The Opera browser gives you the choice to enable/disable:
    GIF/SVG animation
    Sound in webpages
    Java
    Plugins
    Javascript
    referrer logging

    Whew! What does all this mean?

    I know that the most secure computer is one that is unplugged, but the browsing sure is slow. So each browser needs to find a compromise between unplugged and wide open that makes browsing a workable, yet as secure as may be practical, experience. I don't visit ersatz/porno sites, but these days it is very easy for crackers to set up a poisoned site that looks very legit and may be hosted at a first class ISP.

    Does anyone know of one or more tutorials or extended discussions covering this? Anyone have a quick summary? TIA
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Just to answer some points, Java is Sun Java which comprises applets or little programs giving functionality on a website. Java script is quite different but is widely used by web sites (and malware exploits!), it is not as dangerous as Sun Java and it can be quite limiting on some sites if you do not allow it.

    Flash Player by Macromedia (now adobe) is an Active X component, it should be safe in itself but allowing Active X in general can be risky.

    Plugins is more of a generic term for these little add-on programs that add function to the browser.

    The Referrer is a heading that can be transmitted when you click in a site to go to another site. It isn't a security problem and is needed in some sites, but could have privacy considerations in some circumstances (by passing on info about the site you have just come from).

    I can't say much about Firefox I'm afraid 'cos I only use IE; but if you block Active X, Java, vbs script and Java script through your browser you greatly limit the possibility of being exploited.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ TopperID

    When you said (it is not as dangerous as Sun Java) i think you meant it the other way round, that Sun Java is not as potentially dangerous as MS Javascript/Active scripting.

    Regards,


    StevieO
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Probably, but Java applets have the potential to do more and have been regularly exploited on old versions of Java, but just now there seem to be a lot of exploits relying on Java script - but perhaps that is because Java script is more commonly used for correct functioning of sites?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    VBS script, so one more new thing for me to learn though I have heard it before. How u compare it to JS and how to disable it in Opear and FF?
    Has it something to do with Windows Scripting Host?

    Thanks
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,

    Saying that java is more / less dangerous than javascript is simply wrong. Any programing language can do anything, within the limitation of operation system it runs on.

    Furthermore, (sun) java is perceived less dangerous than javascript because the (sun) java client on Windows runs with reduced privileges ... that does not mean that code is benign. It can be very pristine or very malicious. But it will do what the system tells it do. Just like same malware on limited user account will do less damage or not run at all, regardless of what the code says. The same applies for Linux etc.

    Java, javascript and flash are not security risks. Programs that render the commands in these languages / formats are. A secure browser will be less likely to compromise the system based on the input it gets.

    Since browsers are never likely to be 100% secure, you have the extensions that allow these plugins to be disabled.

    Mrk
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone
    Article here.

    A new tool too dangerous to give away can turn any PC - Windows, Mac, Linux - or any device with a browser into a site attacker. The tool, called Jikto, is a Web application scanner that searches for cross-site scripting vulnerabilities. Billy Hoffman, a security researcher with SPI Dynamics, demonstrated what the tool could do at the ShmooCon hacker convention March 24. Namely, Jikto, which is written in JavaScript, can surreptitiously latch onto a browser that has JavaScript enabled.

    After silently inserting itself to run inside any browser - be it that of a PC, a cell phone - Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.

    It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers. This is something that JavaScript wasn't supposed to be able to do, but unfortunately, Hoffman said, it can.

    A very good reason to be careful where you surf, and to have NoScript w/FF- which I do!

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.