Almost NoScript Exploits Whitelist Vulnerabilities

Subject: General Tech | July 6, 2015 - 07:01 AM |
Tagged: noscript, javascript, firefox

I do not really believe in disabling JavaScript, although the ability to control or halt execution would be nice, but you can use an extension to remove it entirely if you want. I say this because the upcoming story talks about vulnerabilities in the NoScript extension, which locks down JavaScript and other, non-static content. By “vulnerabilities”, we mean the ability to execute JavaScript, which every major browser vendor defaults on because they consider it safe for their users on its own.

View Full Size

This is like a five-year-old figuring out how to unlock a fireworks case full of paper crackers.

Regardless, there are two vulnerabilities, both of which have already been updated. Both of them take advantage of the whitelist functionality to ignore malicious code. By default, NoScript trusts a handful of domains, because blocking every script ever would break too much of the internet.

The first problem is that the whitelist has a little cruft, some of which including domain names that are useless, and even some that have expired into the public domain for sale. To prove a point, Matthew Bryant purchased zendcdn.net and used it to serve his own JavaScript. The second problem is similar, but slightly different. Rather than finding a domain that expired, it found some whitelist entries, such as googleapis.com, that had sub-domains, storage.googleapis.com, which is a service that accepts untrusted user scripts (it is part of Google's Cloud Platform).

Again, even though JavaScript is about as secure as you can get in an executable language, you should be allowed to control what executes on your machine. As stated, NoScript has already addressed these issues in a recent update.

Video News


July 6, 2015 | 11:23 AM - Posted by Anonymous (not verified)

I was viewing the tech report last week and kept getting an annoying ad script that would force IE 11 to auto-scroll back up to where the ad could be seen. I decided to visit the webpage with the developer tools enabled to see what ad was doing this, and found that some script from a Google domain was also disabling HTTPS, and last evening I also was getting malicious script injection attempts via the ad content on the tech report's website. All browsers should have a top level button on the browser that allows the JavaScript engine to be toggled off. Also any offending ads that are pushing the scripts should be able to be recorded by the user at the users discretion and an HTML option should allow the captured ad information to be sent to Google, or any offending ad service's complaints division, or other internet complaints site. Browsers should give the users that ability to disable mouse events on a per webpage basis, because some websites are abusing that part of the browsers built-in abilities. So all but the minimal mouse events to allow the browser to function should have the ability to be toggled off on a per website basis. The user's security software should be able to pass/flag the offending IP address, or domain of any offending script directly to the browser, and the browser should immediately blacklist the address/domain.

As far as disabling scripting breaking the internet, the fault is with the Ad industry, and the regulators for not making more of the underhanded JavaScript types of usage by the ad industry illegal including modifying the browser navigation history to inject more ads when users try to back navigate out of a website. Auto downloading of video ad content should only be allowed on the users consent, especially when it degrades the user's browsing experience. Web hosting services that repeatingly are found to be hosting script pushers should be held more accountable to get those users banned.

July 6, 2015 | 12:18 PM - Posted by Anonymous (not verified)

I agree with the poster above, however the reality is, everyone wants to take a slice of the pie and no one can stop them. Unless..

July 6, 2015 | 01:00 PM - Posted by Anonymous (not verified)

JavaScript is used to do all kinds of really annoying things. I would rather have it disabled by default with an easy way to enable it for trusted sites. I have switched back and forth between chrome and Firefox depending on which has less issues. I am still often using a MacBook Pro with 3 GB of memory on OS 10.7.5. Chrome had scrolling issues for quite a while that made it unusable. I had to switch back to chrome a while ago though since Firefox seemed to be continuously writing to a history file or something every 10 or15 seconds. It actually started causing a slowdown since I had not cleared the history in a while; it was attempting to write a couple hundred MB each time. I left it sitting for a day, and it wrote around 50 GB to my SSD, which is not acceptable. After clearing the history, it was still writing every few seconds but a much smaller amount. Such small writes still burns blocks on the SSD though. They may have fixed this by now. I am still running chrome at the moment, and I have JavaScript and other plugins disabled. They are not enabled unless I trust the site and actually need the functionality. Flash mostly waste memory and processing power which are both in short supply on older systems and mobile systems. Chrome doesn't have the ability to enable scripts by domain like NoScript on Firefox. You get all or nothing per page.

July 6, 2015 | 10:33 PM - Posted by BlackDove (not verified)

Ive been saying for YEARS that things like noscript, adblock and alternate browsers like chrome or firefox do nothing but give people a false sense of security.

If youre not using exploit mitigation youre basically unprotected.

July 7, 2015 | 06:12 AM - Posted by Anonymous (not verified)

Those ARE exploit mitigations. They're not flawless, but no single tool is. They DO stop the vast majority of garden variety non-targeted attacks.

Nothing foolproof to a sufficiently talented fool, etc, but if you;re intentionally visiting dodgy domains and expecting Tool X to save you, no security suite is going to help you.

July 7, 2015 | 12:09 PM - Posted by Anonymous (not verified)

You have no control over the domains that the ads are pushed from, so expect even the most reputable websites will get some malicious scripts pushed through some ad partners. The Tech Report is very reputable, but it was the ad that pushed out the malicious script. Read the first post!

July 7, 2015 | 09:39 PM - Posted by BlackDove (not verified)

When Google Ads got compromised and a bunch of sites like Youtube started infecting people with banking malware is a perfect example.

July 7, 2015 | 09:36 PM - Posted by BlackDove (not verified)

Those are NOT exploit mitigations(techniques that actively block exploit code from running).

They are simple white or blacklists which provide zero protection against zero days.

Malwarebytes Anti Exploit and Microsoft EMET use actual exploit mitigation techniques like: anti heap spray, memory protections like bottom up ASLR etc.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.