Javascript in Firefox:
Today Iam going to talk about how bad javascript can be.
Did you know that with java script DISABLED in Firefox:
only 3 of the 13 most critical securityholes found in firefox would affect your settings even if you still used version 3.0? And all 3 securityholes rated high would not have affected your setup what so ever
and 3 out of five in the Moderate rated security holes would not effect you either.
Disabling Java-script when browsing infected sites makes you more secure, its no doubt about it.
Using safesurf also helps improve your security somewhat.
But mozilla said that they patched all those security holes why should I worry now?
There is something called zero-day attacks, and of course they will find more holes in the FireFox browser.
And I bet that many of those will not work if you disable JavaScript.
The bad about disabling Javascript:
Some sites will simply stop working.
And others will not function the way they are supposed to.
The Good:
Improved security.
Conclusion:
While it improves the security somewhat it makes your web experience less future rich.
A good way to come around this is by downloading the NO-script add on
It allows you to trust sites, and disable javascript on sites you don’t trust.
NoScript and SafeSurf will take care of these. When full Memory Firewall in CIS is out next release it will improve protection even further for the ENTIRE system and not just the browser, And will cover these flaws. (:WIN)
No matter what browser you use, Using FULL Comodo Memory Firewall You’re protected against browser vulnerabilities. This is why it’s being integrated in next CIS version.
One problem still remains though; if the NoScript whitelisted site you visit is hijacked. Not very unusual I think, for those large sites most people visit every day - news, media, communities, whatever.
That’s exactly what I think too. However, I’m not sure if the browser creating a file is the only thing malicious script can perform. :-\ Anyway, I trust D+. :-TU
But anyone can be defeated by probability.
For example by luck I were installing (Defense+ was in installation mode) and surfing in the same time and in the same time I got on the site which in the same time was been hijacked and in the same time was been in thrusted sites in NoScript.
Needed to reinstall Windows ;D
It happened to me, a site that I use and needs javascript was showing Errorsafe popups. However I didn’t fall for it and didn’t click on anything and stopped script execution, so no damage was done.
“Q: What is XSS and why should I care?
A: XSS stands for Cross site scripting, a web application vulnerability which allows the attacker to inject malicious code from a certain site into a different site, and can be used by an attacker to “impersonate” a different user or to steal valuable information. This kind of vulnerability has clear implications for NoScript users, because if a whitelisted site is vulnerable to a XSS attack, the attacker can actually run JavaScript code injecting it into the vulnerable site and thus bypassing the whitelist. That’s why NoScript features unique and very effective Anti-XSS protection functionality, which prevents untrusted sites from injecting JavaScript code into a trusted web page via reflective XSS and makes NoScript’s whitelist bullet-proof.
If you’re the technical type and you want to learn more about XSS, you may enjoy reading the excellent Cross Site Scripting Attacks: Xss Exploits and Defense book.”
Thx for claryfying XSS, I knew briefly about it. Still, I guess if a hacker really comes into a system, he can replace code on websites without the need of XSS. In other words, bypassing XSS. These are just my thoughts, I don’t know how hackers perform their attacks. It is clear that NS provides an excellent protection…
I normally set my NoScript to deny all sites. Only when I visit I use the temporary give permission option if it is needed. Of course I know this will still not guarantee safety but you can never know.
When full Memory Firewall in CIS is out next release it will improve protection even further for the ENTIRE system and not just the browser, And will cover these flaws. (:WIN)