Just 3 of the many reasons why I’m seriously considering to ship next NoScript versions with Forbid Macromedia® Flash®, Forbid Microsoft® Silverlight™ and Forbid other plugins checked by default in the Plugins options panel, like it already happens for Java™:

  1. A Quicktime RTSP Response vulnerability is being actively exploited in the wild.
  2. Programming errors in Flash or Silverlight applets can be as exploitable as traditional XSS/CSRF, if not more, no matter if the plugin itself is vulnerable or not. If recent attack on RSnake failed, it’s most likely because he had NoScript configured to block Flash even on his own site. Not impractical as it may sound: in facts, you can select Apply these restrictions to trusted sites as well and enable multimedia clips or applets individually, on the fly with a click on their placeholder — that’s exactly what I do, by the way.
  3. As Pasqual Meunier of CERIAS put it,
    Fully functional PDF viewers are now about as safe and loyal (under your control) as your web browser with full scripting enabled. That may be good enough for some people, but clearly falls short for risk-averse industries.

Update:

Another good reason to keep Flash off by default.

Update 2:

And another… ;)

Update 3:

Oops! :P

Update 4:

I did it, in the end. NoScript now blocks all plugins by default on untrusted sites, and you can optionally extend this restrictions to trusted sites as well.

45 Responses to “Plugin Security, Plug Insecurity”

  1. #1 Alan Baxter says:

    Apply these restrictions to trusted sites as well and enable multimedia clips or applets individually, on the fly with a click on their placeholder — that’s exactly what I do, by the way

    Thanks for the advice. I’ll try it out.

  2. #2 Nan McIntyre says:

    Vote 1 for disabling all plugin action by default.
    With placeholders, there’s no need for any unsafe stuff to be run until the user can vet the site.

    I go to a public broadcaster where I once would have trusted all operations.
    Within the past month, the website has become a mess of beta players and me-too content that makes it feel more like an untrusted site.

    Easy to restrict all plugins and allow content as needed.

  3. #3 Dan says:

    I vote for blocked by default, as this is how I use NoScript anyway.

    I do however have an issue whereby loading a video or swf directly with these options enabled results in an object that can never be activated, which would suck to have by default.

  4. #4 Giorgio says:

    @Dan:
    Could you report a test-case, including website URL where you run into this “unactivable object” issue?
    Please do so by email or posting on the Mozillazine Forum thread for current NoScript version

  5. #5 Brian says:

    In your advisory for the latest version of NoScript (1.1.9), you mentioned that you were considering shipping the next NoScript versions with the Forbid [plugin] options enabled by default.

    I think that checking these options as a default is a good idea; it will enhance security for users who don’t look that closely at the configuration options, and it will make installing NoScript more convenient for users like me who do go in and check those options.

    Since desired content can still be accessed with a click, this extra level of security comes with a minimal cost to those who wish to live a bit more dangerously.

    Thanks for all your hard work on NoScript - it’s the strongest argument I have for using Firefox.

    -Brian

  6. #6 Casey says:

    Since you mentioned PDF readers, check out Sumatra PDF: http://blog.kowalczyk.info/software/sumatrapdf/

    It’s stupidly simple, but works quite nicely. So far I’ve only come across one document that I needed to use Adobe Acrobat to read it, but that appears to be a rarity.

  7. #7 Chris says:

    Why would it not be a good idea to enable these additional blockers by default? In the absence of compelling arguments, I’ll vote to enable them, please. And thanks for this utility, it’s awesome!

  8. #8 boteman says:

    I agree, block everything by default. Those who are unaware will be unaware anyway. Those who know better will allow only those modules of interest. Opt-in is better than opt-out, since sometimes it is too late to opt-out.

    By the way, the recaptcha.net challenge script was blocked and until I realized this I found no way to answer the challenges. Something to keep in mind. We shall see if the world sees this comment submission. Thank you.

  9. #9 Ix says:

    I agree with everything being blocked by default too. I’m seeing a lot more people using FF and some just assume that they’re now magically safe. With my family and friends they at least know that FF isn’t magically safe, but after installing no-script they balk at the need to actually change anything in its options. It’s a great add on to mozilla, but I think it would be better to automatically block everything and let the users change their options if they want to be less safe.

  10. #10 Kevin Whitefoot says:

    I’m happy for plugins to be blocked by default but I’m not sure everyone else will be especially for Flash. Perhaps a couple of predefined choices should be provided.

  11. #11 Angus S-F says:

    I like the idea of having plugins blocked for untrusted sites by default.

    I also suggest you ship NoScript with “Enable Scripts Globally (dangerous)” UNCHECKED — there’s no reason for most users to even know that option is available. In fact, why even have that option? Just disable NoScript in the Add-ons menu.

    I would like a way to lock down NoScript for users on networks. If you could figure some way to password-lock NoScript’s “Global” option, that would be great!

  12. #12 Giorgio says:

    @Angus S-F:
    You can already lock down NoScript for network users.
    The following sample file can be found inside the XPI file if you unarchive it with a zip utility.
    It should be self-explanatory after you read this preference locking how-to, but I’ll write down a “Locking NoScript” tutorial as soon as I’ve got one minute to breathe…

    // sample configuration to lock whitelist using the method explained here:
    // http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/
    
    // you’d better copy the site list from the “capability.policy.maonoscript.sites”
    // key in the prefs.js file found in a test profile
    lockPref(”noscript.default”, “informaction.com http://informaction.com https://informaction.com flashgot.net http://flashgot.net https://flashgot.net noscript.net http://noscript.net https://noscript.net“);
    
    lockPref(”noscript.ctxMenu”, false); // hide context menu
    lockPref(”noscript.statusIcon”, false); // hide statusIcon
    lockPref(”noscript.notify”, false); // hide notification bar
    lockPref(”noscript.lockPrivilegedUI”); // disable DOM Inspector and Error Console (which may be used to programmatically unlock the prefs)
    
  13. #13 Angus S-F says:

    Cool. I take it that

    user_pref(”noscript.showGlobal”, false);

    is the preferences line that allows toggling of global scripting?

    What does “user_pref(”noscript.blockNSWB”, true);” control?

    Question: when you update NoScript, do you add back the default domains to the whitelist if they have been removed?

  14. #14 TJ_IN_AK says:

    Go for it. The safer the better. The option to allow the content is very user friendly.

    TJ

  15. #15 Giorgio says:

    user_pref(”noscript.showGlobal”, false);

    is the preferences line that allows toggling of global scripting?

    Yes it is.
    noscript.blockNSWB is the Forbid Web Bugs option.

    when you update NoScript, do you add back the default domains to the whitelist if they have been removed?

    NoScript updates do not touch your whitelist.

  16. #16 L Otawara says:

    Shipping with Forbid Flash, Forbid Silverlight and Forbid other plugins checked is good idea

  17. #17 FormerBigIronGuy says:

    Coming from a large system environment to the desktop and server world, I am *very* comfortable with the default deny permission stance.
    It is a lot easier to grant permissions if needed than to try to lock down after the horses are out of the barn.

  18. #18 david says:

    Yes, block flash etc by default.

    But add a (larger?) “content blocked” signal, perhaps slightly less obtrusive than the ‘pop-up blocked’ message I see so often.
    Slightly irritating sitting at a site wondering why nothing works. Not irritating enough that I want to turn java script back on.
    But worried that if flash is blocked, I may think that a site just failed to load, since some sites start with only flash.

  19. #19 Angus S-F says:

    Grazie

  20. #20 Matija says:

    Disabling Flash, Silverlight and other plugins should be default, so I agree you should ship your next version like that.
    It is much easier to turn them off when needed (eg. “this stopped working just after this upgrade”), than to remember that you are vulnerable when “everything seems to work”.
    So go ahead with making it default by all means!

  21. #21 Randall says:

    I would say yes to switching those on by default. Really, my thought is, we use No Script as a safety feature (we being my family and friends, not the voices in my head, I don’t count them…) and so my expectation has always been when a new feature comes out that they are one by default. It wasn’t until I went in and played with the settings that I realized that they are not on by default and had to go turn them on. No big deal, just not what I was expecting out of default behavior. So, yes please mark me down for turning them on by default.

  22. #22 G Powell says:

    I would recommend making the new plug-in protections the default. I don’t know how long I have been running without those protections, because I assumed they were on by default.

    I just happened to notice the issue with the latest upgrade.

    Thanks for a valuable tool for all of us.

  23. #23 Ryan says:

    Disabling is fine, but I’d prefer to have them not disabled. One thing for sure, with the next release please don’t overwrite my current settings for plugins. It’d be really obnoxious to have to go re-enable flash every time there’s an upgrade.

  24. #24 Katie Bretsch says:

    Fine by me! I strongly prefer to have this kind of stuff only on an opt-in basis.

  25. #25 former_ns_user says:

    Obviously i am Firefox user. I like Firefox - i switched to it long time ago and ditched IE with it’s bulky interface and paranoid security settings and annoying prompts. And also because i liked it’s ’style’. I didn’t have to change a lot of settings - it was already working as i would like it to. I installed NoScript because it was powerful and useful. But i am disappointed with the direction of it’s development. It is becoming more and more paranoid, just like IE. Addon is supposed to extend browser functionality. For me that means that its default settings must match current browser behavior. If it is going to disable plugins by default, i will either stick to old version or uninstall it. Reason - author’s position is so different from my own, that i can’t trust him any more - who knows what else he will put in there ‘for my own good’. I lived fine without NoScript before - i can manage on my own.

  26. #26 Ken_g6 says:

    I like the idea of shipping with most of these disabled. But about Flash, is FlashBlock sufficient to block these attacks?

    If so, it would also be nice if NoScript could detect the presence of FlashBlock (if that’s even possible for a plugin), and enable Flash if it’s there.

  27. #27 Ron says:

    Went through the options again after new update. Your defaults set as they are is just what I would set myself except I add the Web Bugs under the Untrusted tab.
    I have been recommending your NoScript tool to everyone I meet that uses Firefox. Best tool available that I have run across in ages.

  28. #28 DJ says:

    Agree with most of the posts here - happy for the ‘forbid’ options to be enabled by default.

    One thing I would *love* to see though is the ability to define what should be enabled on a per site basis. So, some sort of extended options for the whitelist. Adding a site to the whitelist defaults to allowing all blocked content (as it does currently), but give a user the option to select that they wish to block Flash for a particular site (I’m thinking a bunch of tick boxes alongside the site names in the whitelist box).

  29. #29 Andi says:

    Higher security by default is a great idea! Thanks for your work. I’ve been stucked to your great product at http://twit.tv/sn For me until now it wasn’t possible to spread the word to any computer non savy person. Maybe there are ideas in this community to higher the proliferation. Thanks to all.

  30. #30 Thomas says:

    Hi, I just read your updated advisory 1.1.9. Yes, I support your intention to activate any restrictions by default. For the average user it’s become quite difficult to follow-up and understand all the potential threats. They feel secure by just having installed the software, and aren’t aware that they remain vulnerable. So, opt-in is better than opt-out!

  31. #31 Dr. Veltsos says:

    Security by default is the way to go. You just have to make sure that users understand what’s being blocked, why, and how to enable it for “safe” sites (what is safe nowadays is a different story). I’ve been a fan of NoScript for many years now. Keep up the good work. Dr. Veltsos, CISSP.

  32. #32 ascii says:

    @Maone: put a flag on the “disabled by default” column also for me : ) needless to say great job with noscript

  33. #33 Jarno says:

    I did forbid the plugins in options and encourage to make it default setting. Many times plugins are just CPU and bandwith hogs and start to act automatically even if not desired.

  34. #34 D Sojourner says:

    I would very much appreciate having the pluggin options switched to “on by default”. I have several computers I’m using this on, and I can’t always count on my kids checking options.

    D Sojourner

  35. #35 Bob Jonkman says:

    Good security practice says that the default settings should deny everything, then things are permitted explicitly one-at-a-time.

    Yes, please set all the defaults to be as safe as possible, right out of the box. People who install NoScript are doing it to enhance their browsing safety, so make it easy for them.

    People who need to access scripts will have enough tech savvy to enable scripts on individual sites; by corollary, those lacking tech savvy shouldn’t be browsing with Allow scripts Globally anyway.

    Thanx for a great tool!

    –Bob.

  36. #36 nobody says:

    Go ahead and disable active content by default.

    Thanks for the good work!

  37. #37 Dan says:

    Yeah, I support blocking all plugins by default. That IS how I use it after all. (I’m really paranoid about security, even though I only use OS X and Linux and haven’t touched Windows in about 3 or 4 months.)

    I know that not all NoScript users know about the plugin blocking features, so if you were to block Flash by default, I would recommend using some sort of splash screen or a large notice on the NoScript home page that expressly mentions that Flash is turned off, explains why Flash is turned off, and explains how to turn Flash back on. Of course, since us techies are suggesting NoScript to our friends and family (I’ve completely lost track of the number of times I’ve recommended NoScript), it should be explained in a non-techie friendly way but without seeming too condescending.

  38. #38 Bill Wallace says:

    I’m all for making the flash/silverlight/java/quicktime turned off by default in the next version. That is how I run things now, and it works just fine. My browsing is a lot faster, and I see far fewer adds. The very few times I want to download things, I can.
    Could you also have an option to turn off sound? I only know of 1 old exploit in a sound format, but there isn’t any reason to expect we won’t see some in the future, and it is a pain to hear the computer start playing something unexpectedly. I’m not sure how to indicate sound existence, however.

  39. #39 NoScript Provides Additional Security — Woodruff Research says:

    […] safe setup by unchecking the relevant Forbid preferences in the NoScript Options|Plugins panel. Read more about the security reasons behind these new default […]

  40. #40 Sven says:

    I was fine with Flash and for example QuickTime movies being allowed. I don’t like this recent change in NoScript. Here’s why. Whenever NoScript blocks content I get the impression that I escaped a security risk and that I shouldn’t trust the webmaster of that respective site. However, similar to what former_ns_user said that is too paranoid for me now that it includes Flash and QuickTime. I liked the fact that NoScript blocks JavaScript (JS) by default. I’m convinced that there are JS features that a proper HTML or PHP website can deliver as well. Actually _forcing_ the visitor to have JS enabled looks like sloppy web design to me. That’s avoidable.

    After I was done working on my own website today (it has Flash videos) I checked it online and found that the videos weren’t loading. I sat up straight, scratched my head and wondered when in the last days my own website had become a security risk to its visitors. At the same time I had other tabs open loading this week’s movie trailers. That particular website delivers trailers as QuickTime movies. I saw these tabs blocking content and again I wondered: when since my last visit had this website become a security risk?

    Blocking JavaScript should stay enabled by default. I encourage that as I hardly ever see JavaScript contributing a unique feature to my browsing experience. However, blocking for example Flash and QuickTime movies gives the impression that I shouldn’t trust websites that I actually do trust. Websites I trust because I’m convinced they are harmless. My perception does not matter. NoScript knows better. If I were a visitor of my own website it’d be the other way round: I’d see blocked content and get the impression that the website is a security risk. At the very least I’d hesitate to click anywhere near the blocked content. Maybe I’d just turn tail. It would make me automatically suspicious of the webmaster’s intentions.

    Next stop is my regular movie trailer website; too risky now. I should find a new one that NoScript approves of. When it comes to movie trailers, too, my perception does not matter. NoScript knows better. Since I like to see videos I should look for a website that delivers .gif animations. The current NoScript version doesn’t block them by default.

    In my opinion NoScript overshot the mark in disabling these content types by default. They should be re-enabled by default.

  41. #41 hackademix.net » Merry XssMas says:

    […] Register has also “discovered” Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat’s attack on RSnake was based on […]

  42. #42 hackademix.net » Pwn2Own, the Winner is... NoScript! says:

    […] OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative […]

  43. #43 hackademix.net » Firefox Users Are The Safest says:

    […] is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either […]

  44. #44 hackademix.net » Browser Plugins, Add-Ons and Security Advisers says:

    […] This can cause major security concerns, no doubt about that. They’ve accumulated lots of security issues of their own over the time, and the scriptable ones (like Flash or Java) are often used in combination with […]

  45. #45 CHRIS says:

    Hi,

    Don’t know much about the threats you mentioned but I am glad to use your tools.
    I feel more confident when my whole family surfes the web without paying attention to anything.

    Thank you so much for the time you give contributing to a safer environment (yes even on our so-called virus-free Mac)
    C.

Bad Behavior has blocked 2811 access attempts in the last 7 days.