Researchers point out the holes in NoScript's default whitelist

Discussion in 'other anti-malware software' started by ronjor, Jul 1, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,775
    Location:
    Texas
    http://www.net-security.org/secworld.php?id=18579
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    Hm, that site writes:

    While I generally agree to keep the list of whitelisted sites as short as possible that quoted assertion is a bit overblown because:
    Nevertheless the whole story is another evidence why the scope-based approach in uMatrix is clearly superior: If you allow, e.g., googleapis.com in the domain-specific scope for xyz.com, it remains blocked for all other sites. This reduces the attack surface considerably.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    If you're also using anti-exploit tools, then this isn't really a big deal.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    What anti-exploit tools? Could you elaborate?
     
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    If user doesn't want the default whitelist in NoScript then place this line into your prefs.js file located in the
    browser profile folder.
    user_pref("noscript.default", "");

    All other entries (e.g.) about:addons, about:memory, etc. with this line:
    user_pref("noscript.mandatory", "");

    Now you should see no entries listed in NoScript's Whitelist.
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Meh, remove them all and start your own... end of story.
     
  7. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    238
    Location:
    Neo Tokyo
    First the "Phone home" story and now this, it is definitely worrisome signs and an indicator on the direction NoScript seems to be heading. On the subject which one offers a better security, well that's still debatable since many claim that uMatrix and the likes are just a replacement of NoScript's most basic features and nothing more. (Anti-XSS, ABE, Clickjacking, XSLT etc)
     
  8. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
    I no longer use NoScript...
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Sorry, I forgot to reply. But I was talking about tools like MBAE and HMPA, who are designed specifically to block exploits. I wouldn't rely on script-blockers like NoScript for the simple reason that they will always break stuff. You're better off with tools like Adblock Plus and Ghostery, they will block most third party trackers and ads, that are often used in exploit attacks, so called "malvertising".
     
    Last edited: Jul 7, 2015
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    Thanks! I see this differently, though. Most sites which I open are sites which I visit frequently. It's no problem to configure my blocker (uMatrix) to not break them. Otherwise I prefer a default-deny policy as ABP and Ghostery are using lists that cannot be comprehensive enough by all means. And blocking unknown/new threats at their root is better than relying on 3rd party tools, IMHO.
     
  11. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Ghostery and AdBlock Plus also break stuff, just not as harshly as NoScript or Request Policy/UBlock Origin do... if an addon doesn't break something along the line, then it's not being utilised to its full potential (similar to the saying, "unused RAM is wasted RAM"). It all comes down to how hands-on you wish to be and how much trust you place in the stuff you use...

    Ghostery and AdBlock Plus - bottom of the barrel, good enough for the novice...
    NoScript, Request Policy, UBlock Origin - more for the hands-on user...

    EDIT: seriously, who uses default whitelists nowadays... with all the addons people are installing, using VPNs, getting hooked on anti-x programs... and then to leave a default whitelist untouched? Come on... drop the ball much?
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes correct. But as soon as you browse to other sites than your favorites, it will start to become annoying, especially to "normal" users. The only reason why I'm using script-blockers is for speed, not for security. Because at some point, you will always have to allow some script to run, just to make stuff work. That's why I said that you can rather rely on anti-exploit tools.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Correct, but you can't compare them with script-blockers, who will block all third party scripts (depending on configuration), and break a whole lot more. And weeks ago, a couple of popular Dutch news sites (that I visit every day), were serving malware, guess what, I didn't notice a thing (I was using FF), even without running any anti-exploit tool. This means that ABP and Ghostery most likely took care of the problem.
     
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    "most likely" is a strong phrase... especially in 2015...
     
  15. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
  16. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    Correct me if I'm wrong, but I don't think this statement is true at all. The point of the anti-exploit tools is to prevent exploits from working on programs. But javascript in a web page is not affected by EMET or MBAE. While yes, they are running inside a program that could be hardened, the purpose of XSS isn't necessarily to break through your browser. If a malicious user stumbles upon a blogging site (say blog.com) that isn't sanitizing the inputs of the comment feature, and then injects some script tags and javascript into the comment and submits it, that javascript will now run for anyone who visits that page (say blog.com/blogpost). If the attacker has only done something simple like inject an alert, that code will run in every situation except for when you are blocking all scripts on that domain (blog.com). While there isn't much harm being done with my example, it shows that anti-exploit tools like EMET and MBAE don't protect you (and even script blockers, depending on how you have them set up). The real danger from XSS is if instead of injecting simple javascript, they load scripts from external sites (say baddie.com) that allow them to do more like log your login credentials. In this case, if the domain (blog.com) is whitelisted then the script at (baddie.com) will not execute. This is where tools like uMatrix and NoScript help you and EMET and MBAE still don't. Now whether or not you can break out of a browser using javascript (I'd imagine there's probably ways) I'm not sure but in that case that is when EMET or MBAE would probably help you.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    Well said :thumb:
     
  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    OK...so it looks that it shouldn't be scary due to explanation in NoScript's FAQ...
    https://noscript.net/faq#qa1_5

    An interesting find on NS forum
    :isay:
    https://forums.informaction.com/viewtopic.php?f=10&t=17066&start=15
    BTW...an interesting thread and interesting ideas because I'm "long-time user" of NS which is for me the most important Firefox's addon.
     
  19. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    A good reminder to check against whatever one white-list.
     
  20. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    As I stated in my post,
    The point of my post was to explain at a basic level how script injection works and why programs like EMET and MBAE are irrelevant in terms of script control.
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    Thanks :)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I'm not sure what you mean with that. But to clarify, I'm using an old version of both FF and Flash, and my security tools also didn't alert about a thing. So the chance is quite big that ABP and/or Ghostery took care of the problem.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I wasn't talking about attacks like XSS, I was talking about scripts that are being used to exploit browser vulnerabilities. When it comes to "malvertising" then ABP and Ghostery will do the trick. When it comes to malicious scripts trying to corrupt browser memory in order to make it execute malicious apps, then you can choose between more "aggressive" script-blockers like NoScript, or you can simply use anti-exploit tools, without having to worry about breaking web-pages.