Discussion in 'other anti-malware software' started by jdd58, Oct 16, 2010.
With LUA & SRP and or anti-executable is Noscript necessary to stay safe?
It is certainly useful. Another layer.
Noscript is Firefox's way of controlling scripting. Other browsers handle it within the browser preferences.
SRP and the like, will block the executable payload of an exploit that has been triggered.
I agree with above two comments. Noscript is still very useful additional layer of protection again exploits/payloads.
It would depend on what you are trying to guard against. LUA and SRP should be sufficient to prevent anything installing new or rewriting already installed software. But they wouldn't (for example) stop some browser exploit that might allow a java script keylogger to be loaded when you visit one site and stay resident while you go do you banking a few minutes later. Or so I understand it. If I'm wrong, I'm sure someone will point it out.
What I'm not sure about is whether you can script something that your browser would then happily reload everytime you start a new session. LUA and SRP don't prevent this AFAIK.
So,while LUA and SRP may prevent the malware payload from executing, Noscript or browser configuration is important to prevent XSS or CSRF attacks, or information theft. Correct?
Also RMUS, you had a tutorial on how to harden Opera a while back. Do you still have reference to that thread?
I thought a keylogger would not be able to execute but wasn't sure about other types of vulnerabilities.
Can you point to a current exploit that does this? I would like to check it out.
You must be thinking of someone else. The only "hardening" I do in Opera is
2) configure downloads to Prompt rather than Open.
I do recall, however, one of the members is quite the Opera expert and used to post all sorts of Tweaks in the other software & services forum -- I don't remember who it was...
No, I can't. It is hypothetical.
re: script-based keyloggers:
Agreed, in fact, several years ago a Wilders member posted PoCs by a fan of R. Hensing, whose 2007 article you cited.
I would like to see one if you come across an example in the wild.
EDIT: scott1256ca describes not just a keylogger, but also:
I wasn't aware of script based loggers. I thought all keyloggers were an executable. Thanks to all.
i hope you can remember who that was. I use Opera now.
Well I would like to comfirm the request of Rich: "show me the money" by providing some reference to an in the wild sample
a) With Chrome's sandbox such a hypothetical scenario would only be possible when browsing in the same tab (otherwise impossible), which is a very unlickely scenario of a hypothetical threat (so chances are .... less than winning the lottery IMO)
Oops! Not from Hensing's or rather from Provos' but from Manuel Caballero's. http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
Sure, if ever 'll found one as my spare time will allow me. jk ...
...i'll give the floor to those who have the time and the energy. My day job is completely unrelated to IT or anything about computers or much more about security.
Maybe scott1256ca is talking about these or something similar...
I don't know but might be of interest to you...
Thanks, but to use your quote,
I'll wait for a real exploit and then do a risk assessment!
ok, the original post asked "does noscript add any benefit if you already have SRP and LUA".
My reply seems to have caused some confusion.
All I was trying to answer was, "yes, I think it does". I then tried to give an example where noscript could block something that SRP and LUA would not. I pulled the example out of the air. If someone already did a PoC on it, that doesn't change the fact that I pulled the scripted keylogger example out of the air. I just don't want anyone to think that I was implying it was an imminent threat. So sorry, I will not be showing money to anyone
In any case, thanks for the related links.
This would make the most sense if ultimate security against scripting dangers is desired. In my case, however, I hate Noscript, and therefore have no use for it; it slows down my enjoyment of the internet and without it I've never once encountered a situation where I needed it with a subsequent feeling of regret not having it. I feel certain that simply running as standard user with some sort of default-deny policy is all that's needed to avoid these over-hyped (by a few) problems. There's one member in these forums, in particular, who loves to cheer lead the latest, greatest threats with overtones of "worry" and "concern" when there's really no need for the rubbish at all
You can also use NoScript and allow all scripts globally and then you still have other protection, quote from NoScript developer's blog:
Same developer stated Firefox was the safest browser. Before 3.6 Firefox was lagging as see https://www.wilderssecurity.com/showthread.php?t=272374 for facts.
Chrome has less API's available than Firefox, which offered near total control. The complaints the Noscript developer has on Chrome is more or less the same critique the HIPS developers had on x64 kernel patch proctection ("they won't build the API's I need for Noscript" - no off course they won't, they do not want to lower security)
Talking about Noscript author about Chrome is like discussing with the Turkey on what to eat for dinner on Christmas/Thanksgiviing
Chrome sandboxes those issues, a far better approach, see for new chrome goodies https://www.wilderssecurity.com/showthread.php?t=284601
I have now actually Uninstalled No Script due to the fact that I was for ever configuring its white and black list per site.
I don't know how other people deal with the following issue. But lets say for example you go surfing thru a whole bunch of websites you have never visited before you find that some sites don't load properly and that not all content is displayed which is limiting your browsing experience due to No Script. You then
have to decide whether it is safe or not to allow scripts to run on a Particular site so you can view it properly, you end up spending more time configuring no script than actually browsing the net.
I just run my browser in an Sandbox Isolated environment with and anti executable app.
'Temporarily allow all this page'
If you find yourself visiting a site frequently, spend a few seconds and whitelist that and related sites.
Also you can 'allow scripts globally' and use it the way BoerenkoolMetWorst described.
It depends on the overall configuration you have, but probably not necessary.
Thanks for the interesting reads.
NoScript and HTTPS mixed content... http://forums.informaction.com/viewtopic.php?f=10&t=5269#p22938
As session hijacking was taken tangentially in this thread, a bit off topic(privacy-related) but worth mentioning as it could change the world as Steve puts it... http://ssj100.fullsubject.com/security-f7/firesheep-t289.htm
Separate names with a comma.