PDA

View Full Version : blocking unsafe plugins in Firefox


jdh
May 2nd, 2007, 04:20 PM
The most recent versions of NoScript allow blocking the playing / displaying of plug-in media from Untrusted sites.

Click the NoScript icon, then click Options, then click the Advanced tab, and disable the plug-ins you want to block.

Microsoft Windows, Microsoft Internet Explorer, and Firefox are not the only softwares that "hatch bugs".

Browser plug-ins such as: Adobe Acrobat Reader, Apple Quicktime, Adobe Macromedia Flash Player, RealAudio, Windows Media Player also have security holes. And it not easy to keep up to date on their vulnerabilities (I subscribe to RSS news feeds from http://isc.sans.org [Internet Storm Center] to learn about such security holes but I'm not sure that is the best news source for home users).

But by disabling the playing of plug-in media on Untrusted sites, I figure one is pretty well protected from exploits against plug in programs, even if one does not keep one's plug-ins well patched.

Of course, the assumption behind this is that media from trusted sites will not contain exploits. Not a bullet-proof guarantee, so best to patch your plug-in programs too.

I still use FlashBlock extension too, to block the playing of Flash media (ads) on Trusted sites (e.g. Yahoo mail or Yahoo groups) since they are annoying and come from other (perhaps less trustworthy?) domains besides yahoo.com per se.

DH

Judy G. Russell
May 2nd, 2007, 05:57 PM
The most recent versions of NoScript allow blocking the playing / displaying of plug-in media from Untrusted sites.Thanks! I'll have to take another look at that.

jdh
May 2nd, 2007, 09:47 PM
I forgot to mention again that many types of plug-in media can itself contain embedded javascript. I don't know any details about how such embedded jscript works, but I doubt that NoScript itself can prevent the running of such scripts. Therefore NoScripts advanced option to block plug-in media from untrusted sites is probably an even better idea than at first might appear.

DH

jdh
May 2nd, 2007, 09:53 PM
Thanks! I'll have to take another look at that.

I just installed an update to NoScript a few minutes ago. It has a new experimental feature called "Flash Nanny" that would let you even block Flash on whitelisted sites, thus eliminating the need for FlashBlock.

I could not figure out how to enabled that feature so I'll wait until it becomes "regulation" instead of "experimental".

DH

davidh
May 29th, 2007, 07:35 PM
I just installed an update to NoScript a few minutes ago. It has a new experimental feature called "Flash Nanny" that would let you even block Flash on whitelisted sites, thus eliminating the need for FlashBlock.

I could not figure out how to enabled that feature so I'll wait until it becomes "regulation" instead of "experimental".

DH

I actually tried the plug-in blocking on whitelisted sites as described in the following quote. Easier than I thought it would be. No actual hand editing of any file needed.

"Finally, toggling the noscript.contentBlocker about:config preference to true extends the content restrictions you set for untrusted sites also to whitelisted pages, turning NoScript in a general content blocker for Java, Flash and other plugins functionally similar to FlashBlock."

http://noscript.net/features#contentblocking

So far so good. Tested with Flash and Java.

I uninstalled Flashblock extension to Firefox. Don't figure I'll need it anymore.

I wonder if Internet Explorer 7 has any features or controls that afford near this level of protection? I rather doubt it and don't really think it would be worthwhile to spend the time to find out. However, for those who stick with MS IE, it might be very worthwhile to find out how to use additional protection, if any.

"The fact that javascript can be used, as he mentioned, to capture keystrokes or upload files should be cause for concern and reason to disable javascript whenever possible."
" I too have used the Noscript extension with firefox for a long time. It allows me to enable javascript for the few trusted web sites that need it and disable it by default for all other sites. Recommended." (Internet Storm Center)

http://isc.sans.org/diary.html?storyid=2460

BTW, I am fairly confident that the security situation on the Internet will get worse before it gets better. Some sources who know what's going on are starting to clam up, because of perceived threats of violence from the organized criminal gangs who attack people on the Internet. This is big business.

DH