Is Firefox less vulnerable to exploit when running NoScript?












2















The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.



I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.



Any opinions? Might make this a community wiki given that it's not simple problem/solution post.










share|improve this question





























    2















    The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.



    I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.



    Any opinions? Might make this a community wiki given that it's not simple problem/solution post.










    share|improve this question



























      2












      2








      2








      The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.



      I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.



      Any opinions? Might make this a community wiki given that it's not simple problem/solution post.










      share|improve this question
















      The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.



      I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.



      Any opinions? Might make this a community wiki given that it's not simple problem/solution post.







      firefox browser-addons exploit noscript






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      asked Mar 29 '10 at 8:59


























      community wiki





      PP.























          2 Answers
          2






          active

          oldest

          votes


















          4














          The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.



          NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.



          The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.



          Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.






          share|improve this answer

































            2














            I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).



            The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.



            Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.



            And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).






            share|improve this answer


























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f125260%2fis-firefox-less-vulnerable-to-exploit-when-running-noscript%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              4














              The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.



              NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.



              The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.



              Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.






              share|improve this answer






























                4














                The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.



                NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.



                The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.



                Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.






                share|improve this answer




























                  4












                  4








                  4







                  The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.



                  NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.



                  The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.



                  Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.






                  share|improve this answer















                  The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.



                  NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.



                  The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.



                  Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Feb 1 at 17:13


























                  community wiki





                  3 revs, 2 users 80%
                  Simon P Stevens


























                      2














                      I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).



                      The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.



                      Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.



                      And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).






                      share|improve this answer






























                        2














                        I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).



                        The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.



                        Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.



                        And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).






                        share|improve this answer




























                          2












                          2








                          2







                          I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).



                          The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.



                          Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.



                          And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).






                          share|improve this answer















                          I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).



                          The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.



                          Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.



                          And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          answered Mar 29 '10 at 10:41


























                          community wiki





                          CesarB































                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f125260%2fis-firefox-less-vulnerable-to-exploit-when-running-noscript%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Сан-Квентин

                              8-я гвардейская общевойсковая армия

                              Алькесар