Slashdot Mirror
'Greasemonkey' Malware Targets Firefox
snydeq writes "Researchers have discovered a new type of malware that collects passwords for banking sites but targets only Firefox. The malware, dubbed 'Trojan.PWS.ChromeInject.A,' sits in Firefox's add-ons folder, registering itself as 'Greasemonkey,' the well-known collection of scripts that add functionality to Web pages rendered by Firefox. The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including PayPal, collecting logins and passwords, which it forwards to a server in Russia. Trojan infection can occur via drive-by download or download duping."
I wish I could use this as an excuse for all the money disappearing from my PayPal and bank accounts, but sadly I can't....
This guy's the limit!
So... this only affects Windows?
Yes, but does that mean anything? I mean, unless it also documents online sites that sell vodka, are the russians honestly going to do anything with it?
ok, a little more information would be nice.
is this firefox only or does it affect all mozilla browsers?
Seamonkey?
Galeon?
does it affect all platforms since it's Java?
anyone know?
Yes, it is not good that there is malware targeting Firefox, but it shows that Firefox is on it's way to be a market leader/dominator. Much like the recommendation of using antivirus on Macs, this shows that there is enough of a market penetration for Firefox that it has garnered the attention of malware writers.
Never punch the Greasemonkey!
But the deal on the nuclear wessel was too good to pass up. Plus my IP address was apparently being broadcast TO THE WORLD!
I would suggest that DO-NOT "Remember Passwords" and Login ids in any Browser where Sensitive Information will be sent ultimately.
Well, this just proves that it's easier to develop for Firefox than IE. ^_^ Of course, it's a very backhanded compliment.
#fuckbeta #iamslashdot #dicemustdie
What happens if you already have Greasemonkey? Would it stop working or does the malware work fine alongside it?
It's just part of the mounting evidence that username/password combinations for banks is inherently flawed. "Somthing you know" can always easily be known by someone else. Bank security should (IMO) be also based on "something you have", like an ATM card.
If banks really wanted two-way authentication to work properly, they'd use a hardware device (USB-key) that had to be present in the machine to login to your account. The hardware device would be implemented in such a way to make it impossible to copy the functionality of it without physical access to it.
AccountKiller
No not funny, but it is scary how the people in the world's 2nd largest nuclear power appear to be so far beyond the normal rule of law.
I must've missed something. When did the US slip to number 2?
This guy's the limit!
Russia seems to be much larger than the United States?
If you use Firefox along with NoScript you are protected from this kind of attack and many others. I highly recommend Firefox users look into this.
Yet another attempt at a classic type of malware designed to harvest web passwords has been detected...
There, fixed it for ya.
I don't think it is really fair to call it 'new' just because you havn't reported on this particular incident yet today. It is a little misleading. Glad I could help.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
Ah, physical size. Gotcha. ; )
This guy's the limit!
Pluguns control YOU!
Free Martian Whores!
Will it throw chairs at me?
No, but removing Vista will.
I have been having problems only with slashdot using firefox, on multiple machines with ubuntu. Is this the bug that is causing the script to hang?
I'm not sure this is what you're referring to but in either case your post got me thinking:
Wouldn't an effective phishing defense (but not MITM) be for the RSA key fobs to have two numbers displayed instad of one, such that when you log in with the first number displayed on your fob, the bank replys with the 2nd number. If they don't match its likely a bogus site.
I'm sure there are tehcnical issues to resolve to decouple the two keys to avoid a snooper / phisher from being able to guess the banks response etc etc. But in general, if we believe it is improved security to prove I am who I say I am, then could it work the other direction as well? I also realize that for the bank's part it isn't something they have but still something they know, but still at least it is something they know that changes such that a phisher won't know it [shrug]. I also get the feeling it might be more robust for the bank to provide a code first but the bank would still first need to know who you are (simple username I guess) to present the code spcific to your FOB, then you can feel confident that you are talking to your bank before you send out your code.
And perhaps this would help with a MITM attack since they might have to get the bank's response right as well [shrug].
If you can't be good, be good at it!
Firefox was written so all addons had to come from addons.mozilla.org. How is such a drive by download even possible?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
I would think it is FAR easier to write malware for Firefox than IE since Firefox has a huge community of mod-installers.
Take that Firefox fanboys, now shut the hell up and realize you're vulnerable too.
"but it's open source - that means its secure"
It is not clear whether Firefox actually has a vulnerability that allows such a drive by downloads, or if IE or other browsers with a vulnerability might allow a drive by download that attacks FireFox. Anyway if the user downloads bits from the net and executes it voluntarily, there is nothing one can do to protect such an activity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
What is an "add-ons" folder? I don't see one if my Firefox directory. You mean the extensions folder? Or the plugins folder? Or modules folder?
and i've always been derided as a microsoft fanboy. when i think its just common sense:
the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare
you can try to make something as secure as possible, but if the incentive is high, hackers can always pay attention to security way more than you do, and find holes you did not anticipate, no matte rhow subtle
if something is full of security holes, it won't be hacked, if its market share is tiny
meanwhile if something is ironclad, it will still be hacked, if its maker share is huge. the incentive to find holes is so high, the most esoteric avenues of investigation are explored
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That's it....I'm switching to IE!
my site of misleading and incorrect information!
According to the description, you have to get infected with some other malware first which would then stuff this thing into Firefox's folders and hook it in by manipulating the configuration. So my first thought is that the primary risk is (yet again) Windows users. They're the ones who'll be the targets of the initial malware. Even if you're a Windows user, if you aren't already having a problem with being regularly infected by malware you aren't at great risk. And if you are currently being regularly infected with malware, one more probably isn't your biggest problem. So a lot of sound and fury, signifying nothing we didn't already know and presenting no risk we haven't had for years.
Anyone have an actual link to something on how to see if you are infected and how to correct it????
Just keep popping up a dialogue box (with no way to stop it or switch to another tab) until the user gives in and says yes.
So is that the "drive-by download" method mentioned in the article? If so, the means to protect yourself are:
When it happens, hit ctl-alt-delete to get your task manager up, find firefox, and kill that task. If that doesn't work, restart your computer. Either way, don't go to that site again.
These instructions aren't great, of course, but they will work.
Russia seems to be the largest country in the world.
Would this attack style apply to any Firefox platform - Linux, Mac, Windows? As I understand it, FF plugins are mostly written in Javascript. Even on more secure platforms like Mac and Linux, each user has access to his own FF plugins directory, so if any malicious code were to be executed as him, it could presumably write this "plugin" into that user's FF settings directory.
http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html
Not sure whether this should be considered a compliment, but to me it indicates that FF matters. It has enough market share for criminals to target.
Unfortunately not many details on this exploit: is it really an exploit in FF (for the drive-by download)? Or is it more like a trojan (for the download duping)?
Can't be physical size, Canada's a nuclear power and bigger than the US as well.
The problem with USB keys is that you have to install a client to handle the PKCS #11 with the browser. No bank wants to get in the business of telling customers to install software (and all the help desk problems that come with it).
OTP tokens have been the preferred method for consumer strong authentication, but only consumers in Europe have seem to taken to them. I don't really see people lining up to get the paypal OTP token.
That is the important part. I am betting it doesn't happen through any flaw in Firefox (sounds like maybe a downloadable executable which looks for and then infects Firefox), but the article doesn't say.
You register an authenticator with your account and every time you go to log on you have to key in the number the authenticator shows you.
Much easier than anything needing to be plug in and as such it can work with any device that could access the login page.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
"This latest e-threat - called Trojan.PWS.ChromeInject.A - is intended to be delivered onto a compromised computer system by other malware"
SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
TECHNICAL DESCRIPTION: It drops an executable file (which is a Firefox 3 plugin)
Does that mean it's Windows only ?
davecb5620@gmail.com
Why does anyone still do banking via PIN/TAN or normal passwords? My chip-card reader did cost 30 and has a numeric keypad on it. I never have to input any banking data via anything other than that device, which goes straight to the Java applet via a public key encryption system, and then to the bank via FinTS.
I hope I can upgrade to a class 3 or 4 reader soon.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Can we now blitz the collecting server with millions of bogus account records? Enough to make it not worthwhile trying them to find the good ones?
It doesn't "target Firefox", it targets "Firefox on Windows 32 systems" This does not affect Linux, Mac, or other systems. Ehud
Can this thing install if you have already loaded Greasemonkey?
Spyder
"the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare"
They why go to the trouble of writing one for a browser with such a low market share. I mean how many bank accounts are accessed under Firefox ?
davecb5620@gmail.com
Yes.
I just don't trust anything that bleeds for five days and doesn't die.
Linux has 0.8% market share!
Though that's counting me and my beard of unusual size, so take it as you wish.
Stallman, is that you?
Anybody want my mod points?
Last time I mentioned FF's woefully unprotected password list, I got marked down as a troll (cheers, fanboy moderators).
And yet here we are, with an exploit - *so what* if it can only run on a compromised machine, us geeks will catch-and-kill it but the chairman of your company won't when he installs FF at home 'because his son said it's the best'.
It's only gonna get worse - and once everyone's browsers have the same risk level, we can concentrate on developing for/ supporting multiple-browser installs and everything that entails while the format war plays out.
Deja Vu, anyone?
You can download a fix for it here.
This is not an exploit, this is a payload like a rootkit that targets Firefox... after your computer has already been compromised.
I would be surprised if there ISN'T a similar payload targeting IE delivered by the same malware.
"the majority of bugs and spyware and crap out there now is obviously written by people without much talent"
i'm not saying the guys doing this are good, or deserve anything but jailtime/ fine/ etc
but they certainly are not stupid
meanwhile, by thinking they are stupid, you are displaying an unhealthy amount of arrogance and hubris
do you know what it takes to find a hole in a system and exploit it?
yu have to surpass the minds of those who have already given the area a lot of thought
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Who needs this headache; not me. I'm going back to IE.
As for the people who write these programs, they need to be PUT TO DEATH.
Seriously, if you want to steal from me, come to my house. I promise to make it a fair fight. ;)
Agree. Can we get people to take signature verification more seriously now? There have been a number of Firefox extensions, including some well-known, well-used ones, that are unsigned. (I can't remember if Flashblock, Adblock and NoScript are among them.) Is it a big hassle to sign the extensions? (This is not a rhetorical question; I really would like to know.)
You know how Kaminsky found this glaring bug in the DNS system that people have been using for ages, and people said, "What!? How could such a huge flaw go for so long with no one saying anything?" Well, right here we have a glaring flaw in the Firefox extension system. Firefox is a vector for extension malware. I'm saying it now.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
TFA says that on Windows it registers itself as Greasemonkey. What does it register itself as on OS X/Linux? And what if Greasemonkey is already installed?
Read.article. Most of your 'insightful' comment applies to Windows and piggy-backing on a Windows exploit. The other OS's you mention (ie: not Windows) would be exploited by ignoring the FF warning dialog about installing untrusted add-ons and installing it anyway (not so much an exploit).
That said, if you're done being cheeky: software is complicated. Bugs are a simple reality and inevitably lead to some kind of exploitability. But Linux and Mac (along with FF and numerous other open tools) get a bit of credit for implementing basic controls (accounts with privilege separation in the OS's) and responding quickly and proactively.
Windows is only now trying it, but their implementation is so cumbersome it's defeating it's own purpose.
Any Vista user out there that haven't already tried it there are several open source sudo for Windows implementations that make using non-privileged accounts more viable. I think I use Sudowin which seemed to work the best for me, but I'm not on my home computer.
Quack, quack.
if they had identified the server that it tried to contact, either by hostname or IP address, so that those with the capability to do so, could block connectivity to it from their network(s) and/or customers. ISP's could add a simple ACL to a router, home users might put a 127.0.0.1 entry in /etc/hosts, etc.
Of course one thing they completely left out was if this 'plugin' ran only on Windows Firefox or if other platforms were susceptible as well.
And quite frankly, if that host was providing some legitimate service that doing this ended up blocking, well, oh fucking well. Keep the thieves off your network and you can avoid that type of problem.
Another option of course, (for individuals and private/company networks, but probably not so for commercial ISP's) would be to just null-route the entirety of Russia (using blackholes.us), and then selective override individual address spaces as and if needed.
Yeah, but that 0.5% has crazy phat loot from not being ripped off by the windows only malware
No, he would have said GNU/Linux.
English is not this
Wow, a whole slew of other people have replied and still nobody else figured out that the 2nd largest nuclear power, whose people appear to be so far beyond the normal rule of law, refers to Russia.
Recall that the rogue server that's collecting the login credentials is located in Russia...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Oh good I'm safe then, it's firefox 3 plugin - won't work in my Firefox 1.5.x. Another good reason not to upgrade - securtiy is worse in the new version.
The Truth is a Virus!!!
Trying hard to get that extra market share?
No where in the article summary nor the article does it even mention this until you go to the other link about where it is installed, obviously windows.
$*((&^&& once again the bait and switch!
I really wish dumbass mozilla would just give a software product they distribute that runs on operating systems other than windows a different name and be done with it. A corvette is NOT a camaro even though chevy builds both and they have a similar engine and transmission, but they are different and have different names. This is common throughout industry to seperate products even within the same class, except with software! This is crazy! Crazy and lazy, how hard is it to just pick a different damn name?
This is getting old.
They are not the same products, and they run on different operating systems. They are "similar" products but not the same, they should have a different name up front (and a huge airgap between windows devs and every one else, damn windows is the premier cootie vector).
Actually what would be even better, what has been needed for a long time now, is a new from scratch web browser (not from mozilla) that is designed and developed for open source operating systems by license fine detail *only*, and let Microsoft and their stealth client company SCO, err I mean Mozilla deal with Windows software and those bugs and sploits.
The messed up thing is that Greasemonkey is being offered through Mozilla as an add-on. Would this version be infected as well? http://addons.mozilla.org/en-US/firefox/addon/748
Actually, I'd guess that the probability of finding people who do online banking is probably higher among the geek community.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I should be safe then. My financial websites never worked properly with Firefox. I wish that were a joke :-/
SO Paypal is one...Paypal offers, for $5.00 a token that would defeat this kind of attack. Of course all banks should offer such a service. However - it would be nice to know how we can get detailed info on the exact banks that are targeted by this.
Ya know, like "being loose".
GNU is the other 99.2%.
NOTE: I'm enjoying the general idea of these jokes; not the fact that some of them are targetting Stallman, who is a great guy and a visionary, that most of us wouldn't be doing what we're doing without.
A certificate-based login (which you can play with at www.cacert.org) would solve this problem. When you initially set it up with your bank, they should require gobs of information proving your identity (full card number, CCV, address, social security number, and last ATM transaction data should suffice), and then they'll let you generate a key for your browser. This easily qualifies as "something you have" for two-factor authentication without needing anything silly like a USB key that would cost the bank money on a per-key basis in time and resources. (Footnote: This isn't as well documented as it should be; your best bet is to play with cacert.org's free implementation. There's tidbits of it in Wikipedia's TLS article, and cacert's wiki has a decent Client Certs page that says a little more.)
After that, you'll need that key plus the tools already employed. Most banks these days already have interesting ways to prove their own identity to you (they supply you with an image and some secret text you agreed upon earlier), then they have some clever input mechanism that tries to bypass keyloggers and javascript hacks.
Also recall that banks are VERY good about locking your account; a properly protected four-digit number is actually secure enough if you're only allowed two failed logins per day (regardless of source) since the code would take up to 5000 days (13+ years) to crack, and I'm sure there are further safeguards for that kind of case.
To banking software firms: I would immediately switch* to an online bank that performs this configuration. So would others. Don't forget: people like me are consulted regularly by family and social networks for advice about this very topic. (* Assuming the bank is FDIC/NCUA-insured, otherwise well-received and regarded, and fully pays for a few ATM usage fees each month).
Use my userscript to add story images to Slashdot. There's no going back.
LMFAO! Shut the fuck up twitter... you are the sockpuppet and you're pissed off at everyone else for calling you one. In fact, the link for Hairyfeet who you call a sockpuppet is a link to YOUR repsonse to him...
Seriously... how old are you? 15? Grow the fuck up already
China is also nuclear and bigger than the US. Certainly population wise, and the physical size is arguably bigger.
1. it just sounds cool
2. sometimes in scrabble, you need to get rid of a lot of Is
language isn't a top down authoritarian function, its trickle up from the bottom
therefore, here in this thread, based on my authority of having none at all, i hereby announce "virii" to be a valid word in the english language
use it profusely, use it constantly, use it anywhere
and in such a way, make it a valid word
motion has passed
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"Trojan.PWS.ChromeInject.B" is definitely only effective in Windows, because it installs and executes these files: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll" "%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js" browser.js calls the The dll file, which can't run in Linux, etc. unless you're running a WINDOZE Firefox via crossover (which would be insanely stupid). Also, since it's installed into the program directory (rather than the user's profile), VISTA will almost certainly make you click for "administrator confirmation" before writing the files. (I don't know for sure, because I don't have VISTA.) - - - - - When I enter the URL for http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.A.html#, the page content is identical the version for "Trojan.PWS.CHromeInject.B" (even the given name is "Trojan.PWS.ChromeInject.B", they even over-wrote the ChromeInject.A page by accident or, ChromeInject.A isn't spreading in the wild AND has nearly identical characteristcs, perhaps differing only in file sizes.) BitDefender provides the following list of banks their page for this version, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html: It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials. akbank.com caixasabadell.net credem.it areasegura.banif.es banca.cajaen.es openbank.es poste.it banesto.es carnet.cajarioja.es gruposantander.es intelvia.cajamurcia.es net.kutxa.net bancopastor.es bancamarch.es caixamanlleu.es elmonte.es ibercajadirecto.com bancopopular.es bancogallego.es bancajaproximaempresas.com caixa*.es caja*.es ccm.es bancoherrero.com bankoa.es bbvanetoffice.com bgnetplus.com bv-i.bancodevalencia.es clavenet.net fibancmediolanum.es sabadellatlantico.com arquia.es banking.*.de westpac.com.au adelaidebank.com.au pncs.com.au nationet.com online.hbs.net.au www.qccu.com.au boq.com.au banksa.com anz.com suncorpmetway.com.au quiubi.it cariparma.it bancaintesa.it popso.it fmbcc.bcc.it secservizi.it bancamediolanum.it csebanking.it fineco.it gbw2.it gruppocarige.it in-biz.it isideonline.it iwbank.it bancaeuro.it bancagenerali.it bcp.it unibanking.it uno-e.com unipolbanca.it carifvg.com cariparo.it carisbo.it islamic-bank.com banking.first-direct.com natwestibanking.com itibank.co.uk co-operativebank.co.uk lloydstsb.co.uk mybankoffshore.alil.co.im abbeynational.co.uk mybusinessbank.co.uk barclays.com online.co.uk my.if.com anbusiness.com hsbc.co anbusiness.com co-operativebankonline.co.uk halifax-online.co.uk ibank.cahoot.com smile.co.uk caterallenonline.co.uk tdcanadatrust.com schwab.com wachovia.com bankofamerica kfhonline.com wamu.com wellsfargo.com procreditbank.bg chase.com 53.com citizensbankonline.com e-gold.com paypal.com usbank.com suntrust.com banquepopulaire.fr onlinebanking.nationalcity.com
sorry about the formatting, I should have used preview! Per above, it definitely is Windows-only.
Just go to the URL, http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html
You might think it's common sense that marketshare is all that matters, but we hammered this out years ago when comparing attack rates on IIS vs Apache.
Obviously marketshare is a factor. Ease of infiltration is another factor. A more popular platform will be attacked less if the chance of success is lower, because at the end of the day going after the weaker but less popular platform can still net you more compromised systems. If you only look at desktop browsers and OSes, you might not think this is the case, but that's only because right now the most popular program and the most vulnerable program are the same, and that the up-and-coming browser can only claim to be better than the most popular one on security issues, not actually good.
In any case, common sense should not be telling you that the security of the program doesn't affect the number of hacks and viruses. Making the reasonable assumption that all code contains some number of bugs does not in any way imply that they are equally prevalent or equally easy to find in any given program, or that the time to discover the bugs is always the same and dependent only on desire. Exploring esoteric avenues of investigation because the incentive is so high does not guarantee a timely result. If it takes substantial time and effort to find an exploit, which is then fixed, requiring another substantial effort to find another exploit, then it may not be in the hackers interest to go after this target versus a lower profile one where exploits can be found faster and more frequently in spit of bug fixes.
Put succinctly: "the amount of hacks and viruses and malware on an os/ browser has absolutely nothing to do with anything other than marketshare" is trivially wrong, at its simplest you could say that the number of hacks and viruses is related to (marketshare * vulnerability).
The enemies of Democracy are
When I signed up for Wells Fargo's security safe thing, one of the options was one of those keyfob things, which they will also sell you.
All the security in the world will not keep paypal from fucking your account over and freezing your funds. Just go to paypalsucks.org or some similar site and read the horror stories. The fact that these scammers have gone on for so long without having to conform to normal banking standards is simply beyond belief. At least ebay is now finally letting third parties in on the payments.
zosxavius photography
So, even though I do all my computing as a normal (regular, limited, non-admin) user, and I have NoScript installed, am I still vulnerable to this?
And we would have noticed the awful stench before he even hit "Submit". I like to think that the other poster actually takes showers.
So now Slashdot is running ads for Bitdefender disguised as stories? For shame...
SYMPTOMS: Presence of the: "%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
Does this mean that it can be avoided by not putting Firefox on your "c" drive?
Actually, yes, it is a big deal. Just like ActiveX, signatures have to be signed by a certificate issued by a "trusted" authority. Which means paying $400 to Verisign or some other such agency.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Stallman... is a great guy and a visionary, that most of us wouldn't be doing what we're doing without.
Stallman, is that you?
Besides, it's well known linux users have no money. If they did, they wouldn't be using linux, wouldn't care about beer only being free, and would have real women, not the blow up kind with the round red lips.
Silly mods, that's not +Funny, it's +Insightful!
I've had it. Virusses, malware, spam. A lot comes from Russia and China.
Time to let them go. Let them infect their own internet.
Privacy is terrorism.
And the geeks are most unlikly to install malware ..
davecb5620@gmail.com
There should be a legitmate bot-nets out there that is used to attack sites like the one collecting the information. Either send them so much false information that getting real info out of it is difficult, or denial of service them.
Interesting idea... though if Firefox is installed in a non-standard location it's still probably identified in the Windows Registry and as such it'd be technically possible to locate the install and put the files in the correct location. I have no idea whether the malware is smart enough to actually do that...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
There, fixed that for ya.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
mod down
"javascript:for(var a=document.getElementsByTagName("input"),i=0;i - by clone53421 (1310749) on Thursday December 04, @12:04PM (#25990715)
Javascript is a "double-edged sword" that can help you, on sites where dataaccess is needed for FULL functionality (e-commerce/online shopping &/or banking online come to mind here, for actual usefulness, not just "menuing eye-candy" type stuff, that you CAN make do without easily for the most part)...
Recommendation (especially out here online, nowadays, due to javascript being misused in site content, and even adbanners (plus via HTML email & even in Adobe .pdf readers)?
Cut javascript usage off, & only restrict it to sites that demand and actually USE javascript, usefully!
That is so you can @ least cut the down surface area possible used in attacking you (which you leave WIDE OPEN leaving javascript running on EVERY site you visit online, for - you wouldn't even be able to ID easily, what site poisoned your machine because of it... now, leave it restricted a FEW sites only? You can probably ID which one bushwhacked you, faster).
Anyone here is free to verify THAT statement/correction of the person I quoted of mine, over @ SECURITYFOCUS.COM &/or SECUNIA.COM (as 2 security based websites that track that type of information), anytime, to check its veracity, as to what is being used the MOST nowadays & for YEARS now, to attack you (javascript).
Also - cutting off the indiscrimate & wholesale use of javascript on EVERY site you visit? Will speed you up, considerably & noticeably, by simply NOT using it on every site you go to, where you may not REALLY need to use it, period especially...
Above ALL else? FIX THAT JAVASCRIPT DOM (document object model)...
Nevertheless I agree with the statement that was made that javascript is trouble and a double edged sword that can help but also harm, capital letters used or not.