How do, On Mon, 2007-01-22 at 11:32 -0600, Les Mikesell wrote: > Dotan Cohen wrote: > > 2) They rely on AcitiveX, Java or some other dangerous script. > > Can you elaborate on the dangers of java? >From the faqs at, http://www.noscript.net/faq 1.10 Q: Why should I allow JavaScript, Java and Flash execution only for trusted sites? A: JavaScript, Java and Flash, even being very different technologies, do have one thing in common: they execute on your computer code coming from a remote site. All the three implement some kind of sandbox model, limiting the activities remote code can perform: e.g., sandboxed code shouldn't read/write your local hard disk nor interact with the underlying operative system or external applications. In the past, many security exploits have been based on "privilege escalation", i.e. exploiting an implementation error of the sandbox to acquire greater privileges and perform nasty task like installing a trojan. This kind of attack can theoretically happen with JavaScript, Java and Flash, even their statistic scores are quite different: 1. JavaScript looks by far the most dangerous (most fixed vulnerabilities discovered to date were actually unexploitable if JS was disabled). Probably this is because it is easier to test and search for holes, even if you're a newbie hacker: everybody and his brother believe to be a JavaScript programmer :P 2. Java has a better history, at least in its "standard" incarnation which is the Sun JVM. There have been viruses, instead, written for the Microsoft JVM, like the ByteVerifier.Trojan. Anyway, the Java security model allows signed applets (applets whose integrity and origin are guaranteed by a digital certificate) to run with local privileges, i.e. just like they were regular installed applications. This, combined with the fact there are always users who, in front of a warning like "This applet is signed with a bad/fake certificate. You DON'T want to execute it! Are you so mad to execute it, instead? [Never!] [Nope] [No] [Maybe]", will search, find and hit the "Yes" button, recently caused some bad reputation even to Firefox (notice that the article is quite lame, but as you can imagine had much echo). 3. Flash have the shortest list of known security flaws, and they are pretty old. Nonetheless, such a list exists and this is enough to show that vulnerabilities are possible, even if unlikely. 4. Other plugins are harder to exploit, but they can still contain flaws like buffer overruns that may execute arbitrary code when feed with a specially crafted content (it happened with Windows Media Player, for instance). Please notice that none of the forementioned technologies is usually (95% of the time) affected by known and unpatched holes, but the point of NoScript is just this: preventing exploitation of even unknown yet security holes, because when they are discovered it could be too late ;) The most effective way is disabling the potential threat on untrusted sites. > -- > Les Mikesell > lesmikesell@xxxxxxxxx Hope the above helps :-) taharka Lexington, Kentucky U.S.A.
