[opensuse] NoScript Flaw
Mozilla’s script blocker add-on could be putting malware sites on the whitelist. Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain. According to Detectify researcher Linus Särud, NoScript whitelists the entire googleapis.com domain and any subdomain, which means an attacker could create a nefarious script that uses Google services APIs to bypass NoScript. The discovery follows an earlier project by Matthew Bryant, who successfully launched an attack that bypassed whitelist protections. It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!” According to a report in the Register, the NoScript team immediately responded by adapting the tool to whitelist only Google's hosted libraries at ajax.googleapis.com, which should reduce the threat, although it might require more intervention from the user to get any necessary legitimate sites whitelisted. Users are encouraged to install updates. Bryant adds, “Please purge your whitelist. Remove everything you don’t trust.” http://www.linux-magazine.com/Online/News/NoScript-Flaw BC -- Using openSUSE 13.2, KDE 4.14.6 & kernel 4.1.1-0 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Basil Chupin wrote:
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.
It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!”
--- NoScript is good, but really needs to integrate the functionality of "RequestPolicy" Reason: a white list alone isn't enough. You need context. For example, I may want to list google's api's as a white-listed component -- but that still means they can be called from a black-listed site. NoScript doesn't create an environment -- and that's the problem. It creates a white list of of "commands". I.e. it lets you white list libraries which may include the equivalent of an 'rm' command. A "good site" may use those libs to remove tmp files when it is done -- but a "bad site" can use 'rm --no-preserve-root -fr /'. The scripts themselves are "agnostic" -- it depends on how the scripts are called (parameters, and context). RequestPolicy is far far from perfect, but I haven't found anything better that monitors inter-domain calls. RqPlcy doesn't go far enough into detail about what should be allowed or not (like NoScript does -- but Noscript doesn't let you limit the calls by caller. I've heard rumors that RequestPolicy may not work on latest FF's. I'm using PaleMoon 25 (which is a x64 build of an earlier FF release before some major FF UI overhall which 'incompats' most extensions). There's a ton of security framework -- maybe 100-150 behaviors that can(could?) be controlled through "capability.policy.<polname>.<object>.<feature>" settings. (http://www-archive.mozilla.org/projects/security/components/ConfigPolicy.htm...) Normally you can't see them, as they are filtered out (https://bugzilla.mozilla.org/show_bug.cgi?id=284673). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/07/15 10:13, Linda Walsh wrote:
Basil Chupin wrote:
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.
It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!”
--- NoScript is good, but really needs to integrate the functionality of "RequestPolicy"
Reason: a white list alone isn't enough. You need context. For example, I may want to list google's api's as a white-listed component -- but that still means they can be called from a black-listed site.
[pruned] The intricacies of your response flow over my head, I am afraid :-) . I posted the above because I thought that it may be of interest to many people. Having written the above, have you tried _LIghtbeam_ which shows which other sites your current site is linking you to? (I know, I know, it's bad English grammar to end sentence with a proposition but what the heck, eh? :-) ). BC -- Using openSUSE 13.2, KDE 4.14.6 & kernel 4.1.1-2 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/07/15 10:13, Linda Walsh wrote:
The intricacies of your response flow over my head, I am afraid :-) . I posted the above because I thought that it may be of interest to many people. I never know how much detail to go into since too much and I bore many, but not enough and I risk giving the few details that might help more
Basil Chupin wrote: people to grok it.
Having written the above, have you tried _LIghtbeam_ which shows which other sites your current site is linking you to? (I know, I know, it's bad English grammar to end sentence with a proposition but what the heck, eh? :-) ).
No haven't -- will have to look it up....tnx for the ptr. The main point of the 2 add-on's NoScript, and RequestPolicy -- is that NoScript only allows defining a site as 'good' or 'bad'. But ReqPol, allows you to also define what types of communication are good or bad. If I am worried about google's tracking, I might not want sites to talk to google unless it is for google-apps, or something needed to make the website run. but if if it is just for tracking.google.com, then I might want to block that out on most sites. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-07-13 14:14, Linda Walsh wrote:
The main point of the 2 add-on's NoScript, and RequestPolicy -- is that NoScript only allows defining a site as 'good' or 'bad'. But ReqPol, allows you to also define what types of communication are good or bad. If I am worried about google's tracking, I might not want sites to talk to google unless it is for google-apps, or something needed to make the website run. but if if it is just for tracking.google.com, then I might want to block that out on most sites.
What about ABP? (addblock plus) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlWjs9IACgkQja8UbcUWM1w1FAD9Hxw0ZWJLpdeGbE67ePrhEkq8 bibMxY0NDEHySACaAssA/1qcV8biNSqZgBuodBzZO46Dlccmmk7yazL7eiJG+rS7 =RAX+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Basil Chupin
-
Carlos E. R.
-
Linda Walsh