Archive for December, 2008

Blue or red
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:

  • The hole is in data binding, and not in XML processing like many (me too) reported initially.
  • Increasing the security level of the Internet Zone to "High" and disabling active scripting does not suffice to protect you, even if it makes attacker's life slightly harder. Not harder than yours, though, since Microsoft's "Security Zones" have nothing of NoScript's usability...

The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.

So, do you really want to keep inflicting yourself that blue "e"? Or are you ready for a red panda?

Hungry Fox
You may have heard of Microsoft Update's debacle past Tuesday, with two critical Windows vulnerabilities disclosed when it was too late for this patching cycle:

I said "is exploited", rather than "can be exploited", because both these 0 day vulnerabilities are being actively exploited in the wild.
I also deleted "malicious" near "web sites", because exploits for the latter vulnerability are being massively infiltrated inside legit web sites using automated SQL injection attacks.
Give yourself a Christmas gift: if there's a best moment for switching to a safe or to a safer browser, that's now.

Tasmanian Devil

Dec 6, 7:25 PM, IM

Arshan* to me:

noscript saved me today, literally, from none other than the infamous samy

Dec 7, 3:16 AM, Email

From: samy**
To: Giorgio Maone
Subject: giorgio, i'm mad at you


I am mad at you. My friend, Arshan Dabirsiaghi, whom I will refer to from now on only as "the persian", was viewing a web page. The web page in question had what the kids these days are calling, "XSS". The XSS was malicious. As malicious as a chicken nugget from McDonalds. Worse, maybe.

But you see, my friend, the persian, was not affected. Why is this you ask? I asked him the same thing. He told me that I should blame you for him being safe. I don't think he literally meant come to you and blame you, but you see, I am coming to you anyway and blaming you. He was running this extension (of his penis) known only as NoScript, or what I will refer to as "the devil's plugin". And for this, I am angry. Angry at the plugin, the use of it, and by extension the author. You, sir, you. That is all. All I can do now is attempt to correct your rights.

Good morrow to you, fine sir.

Your frienemy,

*Arshan Dabirsiaghi of Aspect Security and OWASP, lead developer of the OWASP Anti-Samy Project.
** The infamous Samy, author of the eponymous MySpace XSS Worm.


The original Samy's message contained a slightly antizionist joke about Arshan's supposed descent. I edited it out even if Samy gave his consent for verbatim publishing, because Guanxi made me notice that some people may find it offensive rather than parodic, or even worse read it as an implicit justification for antisemitism.

Update 2

I re-edited the original message after Samy suggested me a way to make it become, "all of the sudden accurate rather than offensive".

SecTheory published a paper by Robert "RSnake" Hansen about Browser Power Consumption. Dan Goodin reports about it under the rather funny title Study spanks Adobe Flash for abuses of power (ehy Dan, why just Adobe? what about Microsoft and Sun?). PC World has an article as well, interviewing a Pacific Gas and Electric representative.

The green juice: you can reduce your PC's power consumption by 25% when you browse the web using Firefox with NoScript and AdBlock Plus. Quite obvious, since JavaScript, Flash, Java, Silverlight and active content in general are major CPU-drainers, compared to static pages. By allowing them just when and where they're needed, the way NoScript works, you do the equivalent of closing the tap when you're brushing your teeth or turn off the light when you exit a room.

Of course it's just a drop in the ocean, but I like to believe I'm helping Gaia a bit and enabling others to do the same :)


Commenter Arthur reminded me that, even if you didn't give a damn about environment health, as a mobile user you surely value your battery life and you've got yet another good reason for using NoScript. And did I mention you can use NoScript on the Fennec mobile browser now?

Bad Behavior has blocked 2273 access attempts in the last 7 days.