23
01
2008
Old NoScript Tricks Blocking New Vulnerabilities
Posted by: Giorgio in Mozilla, Security, NoScriptIt happened in the past and it’s happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users have been protected since August 2007.
NoScript prevents all chrome: URIs from being loaded as scripts in web content, effectively neutralizing this bug (and a bunch of related ones), no matter if the attacker site is “trusted” (i.e. allowed to executed JavaScript) or not.
Security bugs may live ten days only…
A NoScript fix is forever :)
January 23rd, 2008 at 6:32 pm
Awesome work as always Giorgio!
January 23rd, 2008 at 8:27 pm
Yes, good job !!
I’ve always believed that NoScript was an useful toll but now my believe is much more strong !
January 25th, 2008 at 3:31 pm
[…] Come riporta Giorgio Maone, autore di geek italiano e autore di popolari estensioni per Firefox come FlashGot e NoScript, la potente estensione di sicurezza NoScript è in grado di impedire agli URI chrome di essere caricati come script nei contenuti web, rendendo così questo bug impossibile da sfruttare, indipendentemente dal fatto che il sito dell’attacker sia impostato come sicuro (cioè gli sia permessa l’esecuzione di codice JavaScript). […]
January 29th, 2008 at 5:59 am
NOScript is the best!
February 19th, 2008 at 12:24 pm
Grande estensione, è la prima che scarico per firefox quando ho un computer fresh-install ;) - complimenti
March 4th, 2008 at 10:57 am
Is this small vulnerability (allowing reading unimportant files) worth disabling JavaScript? I don’t think so.
March 4th, 2008 at 12:13 pm
@Alexander Ciornii:
October 2nd, 2008 at 12:49 pm
[…] this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats. Unfortunately, bugs happen too and […]