New Net Threat: Infectious Web pages

Discussion in 'other security issues & news' started by Capp, May 18, 2007.

Thread Status:
Not open for further replies.
  1. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    ARTICLE
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I guess if one would allow javascripts for a web site once and it after that got infected it would beat Firefox+noscript extension? Or does the article refer to other things than javascripts?
    That is one reason why one should keep a layered defense with a decent firewall that can handle all the leaktests, AV and maybe one HIPS or CIPS...
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    If you're using Firefox, you can just relax.
    And if you're using Linux, you can start relaxing other people.
    Mrk
     
  4. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    lol, ok I´ll keep my pants on then :D
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Use "Temporary allow" :)
     
  6. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Yeah I mostly do that if the page has something I want and it demands JS enabled, but not here at wilders and a few other pages I visit regulary that need JS to function. So if wilders where hacked the way explained in the article I guess, at least in theory, it could happen..?
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    You don't need JS to use Wilders...
    Mrk
     
  8. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    That is true, unless I want to use the editing functions when writing posts. But thats why I permanently allow some very frequently visited sites, to do the extra stuff.
     
  9. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    That's true but I run Opera with js disabled and allow on a site by site basis, but a hell of a lot of sites ar almost unworkable without js, links don't work, content missing etc
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    In my experience, only about 1-2% of websites require JS to function properly, and usually, they are inferior sites, content and design wise.
    Mrk
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have Script Defender as a warning for .JS and .JSE-files. Is that enough dear experts ?
     
  12. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I dont know if it is something Opera specific but it is very rare when using Firefox + noscript that you need to have JS allowed to get the information you want. Maybe some ads or other irrelevant content dissapear, nothing important, but then again I am not a big fan of sites (or rather web designers) that need alot of bells and whistles to make them selves heard. That usually indicates that they dont have anything worth while to offer in the first place.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Remember, SD doesn't monitor web-embedded .js files which are interpreted directly by the browser.

    SD looks just at those on the HD that you d-click on.

    Blocking web-embedded scripts has to be done by the browser.

    I think this was discussed in another thread recently...

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 19, 2007
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. In that case I only have to disable Java and JavaScript in Firefox. :)
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think u need not worry. DefenceWall will protect from browser related scripts.
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    See this thread :)
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have read it before but it,s mostly above my level.
    Well I do have an idea that XSS will not be prevented by a sandbox( am I right?) but the question is " Should I be worried?"
    My answer for myself-- probabaly not.
    BTW I don,t know of any good measure aginst XSS so far ( software-wise).
    Any inputs?

    BTW I stand corected as Eric asked about JS etc( not about XSS) versus ScriptDefender and I think in the presence of DW, script defender is not needed. ScriptDefender will not protect against XSS as well. Correct?
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Script Defender (and similar tools) will only protect against scripts interpreted by the Windows Scripting Host. It's ineffective against scripts embedded in other files (this trick doesn't affect Wormguard) and scripts interpreted by the browser (Wormguard is ineffective here too).
    The best measure against XSS is NoScript. Firekeeper may help too.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What about other browsers, like Opera?
     
    Last edited: May 19, 2007
  20. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Opera and IE both have per-site security settings similar to the NoScript Firefox extension: Opera calls them "Site Preferences", IE calls them "Zones".
    Anyway, they're far from being as well designed, usable and tested as NoScript.

    Furthermore, they don't offer any protection against XSS targeting your JavaScript enabled sites, so they're almost useless from a security standpoint.

    Specific anti-XSS protection on the client side is a feature you can find only in NoScript, AFAIK.
     
  21. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
Loading...
Thread Status:
Not open for further replies.