Firefox Extension Blocks Dangerous Web Attack

A popular free security tool for the Firefox browser has been upgraded to block one of the most dangerous and troubling security problems facing the Web today. NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as javascript and Java from executing on untrusted Web pages. The scripts could be used to launch an attack on a PC.

The latest release of NoScript, version 1.8.2.1, will stop so-called "clickjacking," where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program. Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person's privacy or even worse, steal money from a bank account.

Download: NoScript 1.8.2.1
View: The full story @ PCWorld

Report a problem with article
Previous Story

Clickjackers could hijack Webcams, microphones, Adobe warns

Next Story

Firefox users gain location tool

39 Comments

Commenting is disabled on this article.

I used noscript for a while but stopped. It helps to block some ads that ad block plus don't, but can be annoying when i go to a new page and have to reload after I click "trust."

yeh noscript sucks in terms of overkill, having to whitelist a billion sites just to be protected from a few that most users would probably never run into anyway.

i think the main flaw with NoScript is that the main people it's geared towards are the people who probably wont want to use it since it makes it harder for them to use the web in general since initially you have to allow sites to get them to work like they should... which will turn off ALOT of people who are just used to websites 'just working' .

me personally i use NoScript for a while and i like it quite a bit overall

Don't know about making it harder to use the web, but it blocks WAY to much of it for me!!

Flashblock and AdblockPlus are the ONLY extensions I need (for the VERY RARE times I even think of using Firefox )

No, the main flaw with NoScript is people choose to install it and then bitch about it doing its job. Oh, wait, that's not a flaw with NoScript but with the user.

I only use IE for Windows Update at home and verifying sites I'm working on at work (updates are handled centrally). Everything else goes through the Fox with NoScript, with various sites allowed and a few marked as untrusted (like doubleclick and intellitxt; worthless to me). If a site doesn't work in FF regardless of script settings then I can't be bothered with it as obviously the creator(s) couldn't be bothered to make something cross-browser.

If a site that uses JavaScript (even exclusively) for operation can't be set up to display a message when it isn't enabled then that site is useless for anybody using assistive tech. There's also all the sites that don't bother with server-side validation because they expect the script to perform it client-side.

(cork1958 said @ #15.1)
Don't know about making it harder to use the web, but it blocks WAY to much of it for me!!

Flashblock and AdblockPlus are the ONLY extensions I need (for the VERY RARE times I even think of using Firefox )

this is exactly what i mean (i.e. this is the point i was trying to make in my above post)... since by default it blocks alot you generally have to allow it (allow use of javascript) on a per site basis which is my point of it being to hard for the average joe that just knows barely how to load up a web browser and goto a website... as even though it's fairly easy to enable NoScript so that it works right (bottom right corner , basically a couple of mouse clicks so that javascript etc works properly) it's 'extra effort/learning more' on the users part which will be a turn off for majority of people i would assume.

p.s. as for extensions installed... i use 3 myself, adblock plus/NoScript/TabScroller ... Tabscroller basically makes it so it's more efficient to switch between multiple tabs as instead of having to move the mouse pointer over a tab you want to switch to then left click it like normal... you can make it so that with the extension of 'TabScroller' (switch it to 'basic mode' once installed for it to do what im saying) that you hold down right mouse click and then scroll with mouse wheel to 'instantly' switch between tabs... i.e. it's more efficient than doing it the usual way... at first it feels a little weird but once you get used to it, it's far better than manually clicking on tabs you have open.... but basically if you generally dont have multiple tabs open then TabScroller wont be of any real use to you.

p.s. i been using Firefox exclusively since a little prior to it's v1.0 release and i aint looked back since.

mrbester said, "No, the main flaw with NoScript is people choose to install it and then bitch about it doing its job. Oh, wait, that's not a flaw with NoScript but with the user."

that's my point... it requires extra effort on the end user's side to make each website run properly, unlike a default install of firefox where everything 'just works'... hence most people probably wont like NoScript unless they know how to use it... i know how to use it and it's not hard for me... but like i said, it requires configuration on a per site basis for the websites to run properly as vast majority of sites need javascript in order to function properly which NoScript blocks.

so basically NoScript offers you more security overall at the trade off of it needs configuring.... which in my case ill take the extra security

it actually caught this as a clickjacking attempt... it isn't, it's just an ad for the Wii game, but at least i got to see what the alert looks like...

it'll play through once, and i got it when i tried to play it again by clicking the link to play again, i forgot what the text was...

actually, tried it again, and clicking anywhere on the screen while it's playing shows the alert


http://www.youtube.com/experiencewii

(NoScript is a must have addon, that's for sure!)

I've been using Noscript with Firefox for so long now. It's an important add-on because of all those ads and stuff like that around the web that I don't have to see; quite bothersome without it.

I've been using NoScript for so long that is essential whenever I am browsing on another persons computer .

Scirwode

I'll tell you why noscript is great. For the same reason I don't accept 3rd party cookies.

If I go to siteA I do not want the images, cookies and scripts from parasiteB, parasiteC, parasiteD, etc running on my browser.

As a web surfer, I am happy to see yet another vulnerability fixed by an enterprising third party.

As a web developer, I am saddened to see so many people use an extension such as NoScript. Javascript is a core part of the way the modern web operates. Blocking it will seriously and catastrophically affect nearly every website that you visit, and pose more challenges and limitations on developers such as myself.

This kind of "kill it all" reaction is reckless and impedes the advancement of the internet itself in a modern era. Javascript has the potential for a few vulnerabilities, and yes, can be used to annoy the heck out of you, but discovering and fixing these mistakes, and preventing similar ones from occurring is much more productive than "no more Javascript".

Yes, I realize you can whitelist a site with NoScript. But if you allow certain scripts, what's to say they won't change the next day? Your protection is moot again, and you're no better off than anyone else.

So please, as a web developer, I beg you to avoid NoScript, and instead look to the browser and flash developers for a more elegant and less clumsy and stupid solution.

(cyberdrone2000 said @ #4)
As a web surfer, I am happy to see yet another vulnerability fixed by an enterprising third party.

As a web developer, I am saddened to see so many people use an extension such as NoScript. Javascript is a core part of the way the modern web operates. Blocking it will seriously and catastrophically affect nearly every website that you visit, and pose more challenges and limitations on developers such as myself.

This kind of "kill it all" reaction is reckless and impedes the advancement of the internet itself in a modern era. Javascript has the potential for a few vulnerabilities, and yes, can be used to annoy the heck out of you, but discovering and fixing these mistakes, and preventing similar ones from occurring is much more productive than "no more Javascript".

Yes, I realize you can whitelist a site with NoScript. But if you allow certain scripts, what's to say they won't change the next day? Your protection is moot again, and you're no better off than anyone else.

So please, as a web developer, I beg you to avoid NoScript, and instead look to the browser and flash developers for a more elegant and less clumsy and stupid solution.

LMAO! using noscript will do NOTHING to impede the advancement of the internet, if anything it will help it, I don't surf without it, it does a beautiful job in blocking the third party garbage ads and their tracking cookies that I don't want to see or have anything to do with.

As a web developer I have no problem with it.

As a web developer, I am saddened to see so many people use an extension such as NoScript. Javascript is a core part of the way the modern web operates. Blocking it will seriously and catastrophically affect nearly every website that you visit, and pose more challenges and limitations on developers such as myself.

Any developer worth their money can make a site work flawlessly with or without Javascript. If the site 100% requires it, then you are doing something wrong.

This kind of "kill it all" reaction is reckless and impedes the advancement of the internet itself in a modern era. Javascript has the potential for a few vulnerabilities, and yes, can be used to annoy the heck out of you, but discovering and fixing these mistakes, and preventing similar ones from occurring is much more productive than "no more Javascript".

Yes, I realize you can whitelist a site with NoScript. But if you allow certain scripts, what's to say they won't change the next day? Your protection is moot again, and you're no better off than anyone else.


NoScript is a great middle ground, allowing the user to decide who is trust worthy and not - the same way you do with a firewall.

It is far from "no more javascript" It is better than turning Javascript off completely, and not as unsecure as allowing Javascript free reign. It allows me to look at and decide if a site is worth me "exposing" my computer too or not. The page looks dodgy? Leave it alone. Think I can trust the site? Temporarily allow it. Use the site regularly? Allow it permanently.

I trust Neowin, so it is on pemanent allow. However I don't trust "doubleclick.net", so it is not allowed. With Javascript off, I wouldn't be able to use Neowin fully. With it on, I'd be exposing myself to whatever "doubleclick.net" send my way.

If anything it helps by teaching developers to code properly (for no Javascript) while preventing companies from using Javascript for things they shouldn't. Prove your site is trustworthy with no Javascript, give those who trust you a better experience with it on.

So please, as a web developer, I beg you to avoid NoScript, and instead look to the browser and flash developers for a more elegant and less clumsy and stupid solution.

If the developer is intending to cause harm, asking them not to do so will make no difference.

(Fourjays said @ #4.2)
If the developer is intending to cause harm, asking them not to do so will make no difference.

I'm talking about asking browser and flash developers to find more elegant solutions to these problems, rather than block javascript completely, not asking people to stop mis-using javascript.

(Fourjays said @ #4.2)
Any developer worth their money can make a site work flawlessly with or without Javascript. If the site 100% requires it, then you are doing something wrong.

And I'm not contending this at all. Sites that use javascript have a lot of potential to offer more value and richer content than sites without. Newer ajax web applications will likely not run at all without it.

(Fourjays said @ #4.2)
NoScript is a great middle ground, allowing the user to decide who is trust worthy and not - the same way you do with a firewall.

Unlike a firewall, you can't only allow one action, and not another. What happens if some script kiddie gets on neowin and adds some malicious Javascript? You're screwed.

My main point is, without Javascript, some of the emerging web applications are no longer feasible. If you can't even test an ajax-intense site to determine if it is safe or not, how will you get anywhere? Moreover, how can developers get anywhere by creating these sites and services if everyone is too paranoid to try them.

(James Riske said @ #4.1)
LMAO! using noscript will do NOTHING to impede the advancement of the internet, if anything it will help it, I don't surf without it, it does a beautiful job in blocking the third party garbage ads and their tracking cookies that I don't want to see or have anything to do with.

A lot of Google services wouldn't exist without javascript.
Also Adblock Plus does a much better job of blocking advertising, and it does so in a much less overzealous way.

(cyberdrone2000 said @ #4.3)

I'm talking about asking browser and flash developers to find more elegant solutions to these problems, rather than block javascript completely, not asking people to stop mis-using javascript.

And I'm not contending this at all. Sites that use javascript have a lot of potential to offer more value and richer content than sites without. Newer ajax web applications will likely not run at all without it.

Unlike a firewall, you can't only allow one action, and not another. What happens if some script kiddie gets on neowin and adds some malicious Javascript? You're screwed.

My main point is, without Javascript, some of the emerging web applications are no longer feasible. If you can't even test an ajax-intense site to determine if it is safe or not, how will you get anywhere? Moreover, how can developers get anywhere by creating these sites and services if everyone is too paranoid to try them.

Yes, it is up to the browser developers to ensure that it is secure.

Until you get to something as involved as Gmail, AJAX can still have a none AJAX equivalent. I'm not disputing that some sections of a site would require it - I'm saying that if no Javascript damages the ability to view the site to the point where a user will turn away and miss out, then something is wrong. This doesn't matter with a service like Gmail as I signed up to it, but on a site where you are attracting new visitors, it is not a good idea.

I like NoScript, but are we really giving it credit for preventing a theoretical threat that hasn't appeared in the wild yet?

I guess that the alternative is a "reactive" type of security - where you sit in stunned silence as software is exploited and no one has made it more secure, even though they could have done something about it.

;)

(markjensen said @ #2.1)
I guess that the alternative is a "reactive" type of security - where you sit in stunned silence as software is exploited and no one has made it more secure, even though they could have done something about it.

;)

Okay, comprehension is not your strong point here. I didn't say being proactive about the exploit is bad, I said we are crediting NoScript with solving a problem that technically doesn't exist.

Additionally, most of this new breed of "security researcher" pull a lot of stuff out of thin air and use scare tactics to grab headlines, so it should all be taken with a huge grain of salt. As the original article states, the concept of this flaw has been around for years and no one has managed to make a useful exploit out of it. So now NoScript has prevented a flaw that doesn't exist in the wild from hurting you? Really? What exactly did it prevent?

(bob_c_b said @ #2.2)
Okay, comprehension is not your strong point here.
Ooh! I just love it when people decide to passively attack other people's intelligence!

Do it again! You have an amazing wit of words about you. It is truly mesmerizing!

(markjensen said @ #2.3)
Ooh! I just love it when people decide to passively attack other people's intelligence!

Do it again! You have an amazing wit of words about you. It is truly mesmerizing!

I didn't attack your intelligence I said you lacked comprehension. And it wasn't passive, it was very direct, and your second reply drives the point home. I have no doubt your a smart guy, but you are reading more into my words than are really there trying to come up with a clever retort.

The point is that it is better to close potential vectors of attack before the attack.

That's all.

Any suggestion that they are incorrect to close it now is ridiculous.

(markjensen said @ #2.5)
The point is that it is better to close potential vectors of attack before the attack.

That's all.

Any suggestion that they are incorrect to close it now is ridiculous.

No one suggested that but clearly you are looking to argue, so go ahead and win.

(bob_c_b said @ #2)
I like NoScript, but are we really giving it credit for preventing a theoretical threat that hasn't appeared in the wild yet?
Yes. Credit for addressing a possible exploit vector.

Good thing.

End of story.