Well I installed Sandboxie.

So now youre saying that users need script protection regardless of browser they use?

 

Apologies for sounding like a numbskull here.

What about browsers that can disable scripts, do they provide adequate protection? Or is a user needing a plugin/browser with XSS protection?

For example, Avant Browser can disable scripts, java, ActiveX, and so on at the click of a button. And re-activate any by selecting the option and reloading the page.

 

Ummm... can those browsers readily disable iframes? NS can.

Even so, blocking scripts will help a lot. There are also some learnable *user habits* that will further augment your safety. Read about them HERE.

Sadly, the current script blocking programs block by filetype, and do not analyze the script. Moreover, they don't alert to scripts that were cached by the browser. Further, they interpose themselves between your browser & HD, but the damage we're talking about here takes place by code execution within your browser. To wit, script blockers do NOT flag web-based scripts which are automatically interpreted by the browser.

@All Some other (possible) alternatives to NS are...

Link Scanner Pro (with heuristics)

Firekeeper

Firekeeper is a *freebie* Firefox extension in Alpha status, so stay away unless you first make an HD image. LS Pro is non-free, now at a special price. I >think< this is included with the paid version of AVG (someone please verify or correct me).

 

Hi bellgamin,

I tried those tests from 'spanner link' web page and saw what problems it caused for firefox.

I tried them in Avant, but disabled scripts, java and ActiveX, and the scans couldn't begin.

Avant blocked all scans (well as far as I could tell, caused many problems for firefox). I'll use Avant for now, super fast browser with a ton of options.

 

another safer way is to use admuncher because it acts like a proxy, when using admuncher your firefox browser doesn't even connect to the internet.

 

bellgamin, if possible, would you be able to test the browser I've been using (with scripts/java/activex disabled)? The iframes link didn't seem to do much, but maybe it did what it was intended to do. The others tests however were blocked.

I guess I've been a bit naive when it comes to firefox and its security. Only been concerned about ActiveX.

 

I'm sorry but I can't do that, for various reasons. I would, however, comment that...

1- Avant is an Internet Explorer clone, with all of IE's vulnerabilities and strengths. Firefox has vulnerabilities, too, of course. However, Internet Explorer is integral to Windows whereas Firefox is not -- therefore, a breach of IE is potentially more serious than a breach of FF.

2- When you disable NoScript's script blocking functions, it will STILL block cross-scripting (XSS). I am not sure that blocking scripts on your own will necessarily block cross-scripting as well. I recommend that you ask these technical questions at the NoScript forum.

 

All cool, you don't have to give a reason.

I tried the tests again with various browsers. I'll keep using the one I mentioned as it blocked the tests (again) without any alerts/popups.

The new firefox 3 will be very quick so I will try NoScript again in due course.

Back on topic, I guess it all comes down to the individual user. As Peter mentioned about practising 'safe browsing', I rarely, if at all go to 'outside/unknown' sites. The few I go to keep me interested and sandboxie is an amazing program that will continue to gobble up and spit out any nasties.

 

Shazam!

Here's yet another option...

XSS Warning

Beware -- it's a beta. (Beyond here be dragons)

 

Hi,

the author of NoScript, Giorgio Maone posted a nice slam about XSS Warning (by Gianni Amato).
"Now, I feel a little dirty in pointing that, but XSS Warning has quite a naive filter implementation which is far away from NoScript's reliability.
Both the link above and the CIA XSS on my blog do bypass XSS Warning with no sweat."
http://forums.mozillazine.org/viewtopic.php?p=3339261#3339261

Do we trust Giorgio or Gianni or is this just an italian cockfight

Cheers

 

damn I wish it was compatible with firefox 3

 

Giorgio's NoScript is in an advanced state and will get better. Gianni's Xss-Warning is in public beta, and it also will get better.

A public beta of a security app is not so much a finished product as it is an open invitation to adventurous folks to help out in the war against nasties. Security apps need our POSITIVE support. Shooting down a beta app in the bud only serves the bad guys.

Also in beta is Firekeeper - an IDS (Intrusion Detection System) for Firefox. Just as Giorgio (the developer of NoScript) took pokes at XSS Warning, so also did Wladimir Palant (developer of Adblock) take potshots at NoScript in THIS altogether fascinating thread -- which includes some entertaining & educational *verbal jousting* between two of the current *giants* in developing security extensions for FF.

There are always holes in any security wall. Professional competition among security protection experts often results in a bit of mud being slung on their respective walls (bad) but also serves to incite them to PLUG the holes in their respective walls (good). At such times, we who lurk here have the golden opportunity to encourage the good and help smooth over hurt feelings from the bad. Doing so fosters the spirit of peace and progress and Aloha.

 

Alternatively, you can use K-Meleon which is Mozilla based, and disable javascript and frames.

With the following disabled, it passes the tests previously listed above without the popups/warnings.

Don't mind K-Meleon, simple, but light.

 

Found out how to stop it from crashing. I just added Sandboxie to the safe list in Spyware Terminator No problems so far.

 

Yes, sometimes good softwares are killing eachother over nothing, jealousy is usually the reason.

 

Some ''good'' softwares are bad coded !LOL

 

LOL. That is also a possibility. I find it always amusing, when good softwares don't like eachother.

 

Honest,you guess,some ''good softwares'' hook the MBR and let others in the cold. Leapfrog FDISR in his latest incarnation knows how to be really good,and stops the fight ! LOL