Slashdot Mirror

IE is NOT the first browser to implement anti-clickjacking tech. Firefox + NoScript has had a non-obtrusive (read:it works with the "globally allow scripts [etc]" option enabled) clickjacking blocker known as ClearClick for quite a while now. It is inaccurate to compare vanilla Firefox with other browsers since Mozilla intended Fx to be used with addons. NoScript is a perfect example.

IE is NOT the first browser to implement anti-clickjacking tech. Firefox + NoScript has had a non-obtrusive (read:it works with the "globally allow scripts [etc]" option enabled) clickjacking blocker known as ClearClick for quite a while now. It is inaccurate to compare vanilla Firefox with other browsers since Mozilla intended Fx to be used with addons. NoScript is a perfect example.

Protection against the relatively new threat of 'clickjacking,' where a site tries to get you to press buttons underneath a sham frame page, has also been added â" the first browser to include such protections.

No, not the first. Maybe the first to be shipped with the functionality turned on by default.

It's just that, with FireFox, anything that isn't related to bare simple display of HTML pages, is usually tucked into separate plugins.
But the Noscript plugin has featured click-jacking prevention almost from the next day after click-jacking came in the news.

Oh, and use NoScript!

Another simple change is to set dom.disable_window_open_feature.location to true. That should make it pretty obvious when a popup comes from source different than what it's claiming.

Don't have multiple tabs/windows open while you're doing your online banking!!!

Oh, and use NoScript!

If you use Firefox along with NoScript you are protected from this kind of attack and many others. I highly recommend Firefox users look into this.

Yes, you're right on the fact a targeted attack might inject on-site content which might be allowed by your whitelist, but this is an unlikely scenario, especially in mass attacks like these, because for the attacker is much more practical injecting a small, stealthy inclusion and host the real payload elsewhere, on a server in his full control where he can log the activity and/or mutate the code as needed. Furthermore, you can configure NoScript to execute plugin content (e.g. Flash) on demand (after clicking on a placeholder) on whitelisted sites as well, hugely reducing the attack surface even on trusted pages.

Epic fail. Read and learn your folly.

I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.

Same reason I won't switch to Opera. I like vim.

Oh, and don't forget about noscript, even if Chrome runs javascript faster, most of the time, I don't care.

v 1.8.0.5

Experimental "Force Secure Cookies" feature, mitigates HTTPS cookie hijacking attacks (http://tinyurl.com/cookiehijack).
Enabled by default, it can be disabled either globally, by toggling the noscript.secureCookies about:config preference, or for specific domains only, by listing them (space or comma separated) in the noscript.secureCookiesException about:config preference

Whenever a cookie is set over a secured HTTPS connection, NoScript forcibly flags it as "Secure" even if the server didn't. Therefore the browser won't leak it anymore over insecure connections.

Obviously this feature works always as long as it's turned on, independently from JavaScript/Java/Flash/Plugins permissions.

Yes, adding the feature to the core of Firefox would be nice...but if they did that for all the 'nice features' it'd have too much bloat. Hence, extensions.

Check out 'NoScript' - it does what you want. By default, no pages get to run scripts. You approve on a per-domain basis (so say, Slashdot is running some google code on the page - you'll have both domains as choices - allow, temporarily allow (which is handy when you don't recog the domain) or block, and don't tell me again.

http://noscript.net/
https://addons.mozilla.org/en-US/firefox/addon/722

I run it on all my installs of Firefox...this combined with AdBlock & Flashblock make for a very controlled and friendly surfing experience.

'Browser Privacy is different from "clear private data when Firefox closes" in that apparently it protects you WHILE you are browsing'

Appariently the protection consists of a white/black of selected sites that the browser deems unsafe. Do these subscription feeds require a fee.

"Depending on your web browsing activity and sites visited, the amount of time it can take before such content is automatically blocked can vary widely. However, at any time, you can customize which third-party content is blocked or allowed though subscribing to InPrivate allow and block feeds"

privoxy noscript FoxTor ..

"I'm curious as to if that level of "private browsing" will make it into a full FF release as I believe Firefox's largest supporter (Google) wouldn't want it in. Can they use that leverage to stop it? and will they?"

I wonder will "private browsing" work with Hotmail, or will their be exceptions burried within the app. Besides, it's irrelevent as I have full control over my computer, not Mozilla or Google .. or Microsoft :)

Upgrading from IE7 to IE8 is going to be like polishing a turd. I run Firefox 3 with two plugins: Noscript IE Tab Oh yeah and Woot Watcher.

Does Firefox do something fundamentally better with respect to this issue?

It's extensions do. Think Microsoft will ever release anything as lightweight and useful as noscript? I'm not holding my breath.....

Or just install Stealther on Firefox. (And maybe NoScript also, so as not to get pwned by some iffy site.)

Use Firefox with the NoScript add-on. http://noscript.net/ It blocks/unblocks javascript exactly the way you want it. And makes surfing safer in general.
Another interesting add-on is CustomizeGoogle. http://www.customizegoogle.com/ It can block cookies being sent to Google Analytics and it can anonymize the Google UID.

I run noscript. And I don't want to visit their website after every update. I have no need to. It just pisses me off.

from http://noscript.net/faq#qa2_5
If you're a power user and you feel you don't need such heads up, you can disable this feature by opening about:config (just like it was a normal web address) and toggling off the noscript.firstRunRedirection preference.

Turning that feature off is in (you guessed it!) the FAQ!
http://noscript.net/faq#qa2_5

In short, toggle the preference noscript.firstRunRedirection to false.

To make that risk worse, when any Firefox add-on gets updated, the browser opens that add-on's project page. For example, after updating NoScript, FF will show you a page like this so you can see the "release notes" for the latest version of the add-on. What a *perfect* place to insert a browser exploit, where everyone is forced to go.

So now you depend not only on the security of FF code, the add-on code, but the add-on's external *website* as well.

Anyone know what they were thinking, and how to turn off this feature? I trust NoScript, but I don't want to visit their website after after every update.

At a minimum, viewing the add-on's website after an update should be a *default-off* option for every Firefox add-on.

http://flashblock.mozdev.org/
http://noscript.net/

... Or you could just use NoScript...

BTW, when I said It has a very intuitive interface and is easily customizable. I was really talking about NoScript. I should have worded that better. Yes I remember Zone alarm being fairly straightforward as well with these things.

Also, NoScript blocks Flash as well. I've never tried FlashBlock, but I think it would probably be redundant if you use NoScript.

According to the NoScript Web Site: "Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, Minefield...". I was using FF 2 until a few weeks ago and it worked fine. It works just as good now that I'm using FF 3. At any rate it's easy enough to uninstall or disable if you don't like it or there are any problems.

The main link:
http://noscript.net/

The program link:
http://noscript.net/getit

BTW, when I said It has a very intuitive interface and is easily customizable. I was really talking about NoScript. I should have worded that better. Yes I remember Zone alarm being fairly straightforward as well with these things.

Also, NoScript blocks Flash as well. I've never tried FlashBlock, but I think it would probably be redundant if you use NoScript.

According to the NoScript Web Site: "Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, Minefield...". I was using FF 2 until a few weeks ago and it worked fine. It works just as good now that I'm using FF 3. At any rate it's easy enough to uninstall or disable if you don't like it or there are any problems.

The main link:
http://noscript.net/

The program link:
http://noscript.net/getit

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

May I suggest a solution that's better, and doesn't leech?

Try NoScript - http://noscript.net/

It doesn't leech since static banner ads load up just fine, but NoScript blocks flash, java, and other plug-ins (PDF, etc) by default. It also disables javascript on a per-domain basis (plus detects and blocks XSS attacks).

And yet, if you want to see that YouTube video, just click the placeholder, and it'll ask if you really want to load whatever it is. For Javascript, click the icon and you can enable and disable the various scripts that may exist on a page (many across many domains). Nothing more fun than allowing javascript from the primary site, but disable javascript that loads ads and other junk.

Plus, having javascript off by default makes the web go much faster. It can always be re-enabled later on, leaving horrible CPU-wasting scripts from even running.

Me personally, I run a combination of FlashBlock + NoScript. This has a wierd effect as NoScript blocks the flash, click it, and then FlashBlock blocks it, then sometimes NoScript blocks it again. Sometimes a hassle, but saves me from inadvertent clicks.

The only XSS at times I find annoying is when purchasing from sites that use Paypal. But that's simply a click, then "Unsafe Reload" (reload the page with XSS), which fixes it.

It's amazing how many sites work great with NoScript, and how many sites are so poorly coded they need javascript to handle a hyperlink.

I also have doubleclick.net marked as untrusted in noscript

You need NoScript, it allows you to selectively enable JS on websites. It is simple, fast, and unobtrusive (although YMMV on the last). Default behavior is all scripts not explicitly enabled are disabled by default.

https://addons.mozilla.org/en-US/firefox/addon/722
http://noscript.net/

With the NoScript extension for Mozilla Firefox you can block sites from loading JavaScripts.
So example, if you goto eBay, it cant load JavaScript from Facebook.
* http://noscript.net/

Also in Firefox, you disable cookies for sites which you have not explicitly allowed.

and that as far as features for the end-user are concerned, IE is just as good these days.

I despise the new version of IE. My favorite "feature" is how it starts up to that common splash screen (customize your settings or whatever it is) every time you start it and how that splash screen refuses to go away on start-up until you acknowledge it -- even if you don't want to change any of the settings. Drives me up the fucking wall every time I have to setup a new computer for someone. Can't not use IE -- need it for Windows/Office updates -- so I either have to acknowledge the stupid screen and "customize" software I'm never going to use again or deal with it opening up every single time IE is launched. What's worse is that they couldn't make it a local splash screen. Somehow customizing the settings in your web browser requires loading a page from Microsoft's servers. Makes it all the more enjoyable for dial-up/slow connection users.

And "IE is just as good these days?" Maybe from the narrow viewpoint of "out of the box" (though I would dispute even that). But AFAIK IE doesn't have near the amount of third-party add-ons available for it that Firefox does. Is there anything as useful as this available for IE?

If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript, which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.

Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.

Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?

Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab or Eugene Kaspersky, but he's apparently the author of a number of books on programming and other computer subjects.

Well, like most of the security features Microsoft provides, IE zones are annoying and a pain to use properly. Firefox, by default, blocks most annoying Javascript behavior, but NoScript really takes it to the next level. If you ever find yourself on Firefox, you should try AdBlockPlus+NoScript. It's a pretty good combination and is very usable. See here and here for more information.

Noscript?

In which case http://noscript.net/ at least gives you a fighting chance to see WTF, at least in a FireFox context.
At work, where Mr. Softy p0wnz0rz me, I'm less concerned.

Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock, and it works on plugins different from Flash as well.

I hear what you're saying ... Define the list of "good" software, not the "bad", but here's a monkey-wrench at you ...

Define "execute". Are you referring to files on disk being treated as executable code? What about cases where an authorized application is buffer overflowed and patched in RAM? Your suggestions won't stop that. What about code that is interpreted, such as scripts or macros? Noscript for FF is great and all (I'm using it right now), but how many sites are 100% broken when scripts are turned off? We see countless examples of scripts today that can automate delivering a browser exploit, overflowing/patching a valid running browser process' memory and running arbitrary code. Who cares if the browser is sandboxed if everything the attacker wants is already in the browser (e.g. credit card numbers, passwords, etc.)? Don't say "same origin policy" because: A) if the browser's pwned all bets are off, and B) modern web apps (and therefore modern web malware) throw objects from several different domains into a single page in the browser. HTTP & HTML were pretty much designed to defeat Same Origin Policy.

But I agree, it's a separation of code and data problem.

Use the NoScript Firefox extension and block the offending ad server. Works perfectly and its more secure.

Sounds like your ad-blocker is not very good if you're seeing all these ads and videos. My browsing experience is very serene:
http://adblockplus.org/ plus http://noscript.net/

NoScript is your friend. Avoid a lot of bloat (flash/javascript ads?), and adds some security

I take it you weren't using noscript.

I HIGHLY recommend it to everyone that is vaguely security conscious.

http://noscript.net

No more! :)

using NoScript is a Good IdeaTM. Linking to a page with a black-white pixel gif animation on the background is still possible though, there's no risk with animations disabled as well (unless you like to scroll).

I'm running NoScript Firefox extention under Linux and while my retina hurts, there was no moving screens or whatnot. By default, I do not trust javascript/activex. Get NoScript and configure it!

http://noscript.net/

Nearly there.

Always treat code as hostile.

Defense in depth, capabilities, least privilege, fail closed, scrub inputs, escape everything ... I think there have been a few books written on this.

In PHP's case this fellow's slender volume is quite helpful: http://phpsecurity.org/ . And http://noscript.net/ .

You can do the same thing with this Firefox plugin. It controls both javascript and flash on a per-site basis.

There's certainly room for it on the iPhone as well. Safari is all nice, but I would like adblock on it, especially on the edge network when every byte counts.

NoScript would also help in that respect.

Oh, that greyed out box with the NoScript logo is a Flash movie?
Glad it got caught by NoScript rather than FlashBlock!
Yet, I wonder. Would AdBlock Plus have caught it if those two were disabled?

Aren't Firefox plugins just Javascript?

As I understand it, that's one of the major reasons that Firefox can get bogged down.

http://noscript.net/getit.