Is Firefox less vulnerable to exploit when running NoScript?
The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.
I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.
Any opinions? Might make this a community wiki given that it's not simple problem/solution post.
firefox browser-addons exploit noscript
add a comment |
The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.
I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.
Any opinions? Might make this a community wiki given that it's not simple problem/solution post.
firefox browser-addons exploit noscript
add a comment |
The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.
I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.
Any opinions? Might make this a community wiki given that it's not simple problem/solution post.
firefox browser-addons exploit noscript
The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.
I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.
Any opinions? Might make this a community wiki given that it's not simple problem/solution post.
firefox browser-addons exploit noscript
firefox browser-addons exploit noscript
asked Mar 29 '10 at 8:59
community wiki
PP.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.
NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.
The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.
Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.
add a comment |
I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f125260%2fis-firefox-less-vulnerable-to-exploit-when-running-noscript%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.
NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.
The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.
Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.
add a comment |
The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.
NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.
The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.
Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.
add a comment |
The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.
NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.
The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.
Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.
The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.
NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.
The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.
Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.
edited Feb 1 at 17:13
community wiki
3 revs, 2 users 80%
Simon P Stevens
add a comment |
add a comment |
I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).
add a comment |
I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).
add a comment |
I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).
I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).
answered Mar 29 '10 at 10:41
community wiki
CesarB
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f125260%2fis-firefox-less-vulnerable-to-exploit-when-running-noscript%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown