I apologize for not providing a constant information feed about NoScript 10's impending release, but I've got no press office or social media staff working for me: when I say "we" about NoScript, I mean the great community of volunteers helping with user support (and especially the wonderful moderators of the NoScript forum).NoScript 10 object placeholder

By the way, as most but not all users know, there's no "NoScript development team" either: I'm the only developer, and yesterday I also had to temporarily suspend my NoScript 10 final rush, being forced to release two emergency 5.x versions (5.1.6 and 5.1.7) to cope with Firefox 58 compatibility breakages (yes, in case you didn't notice, "Classic" NoScript 5 still works on Firefox 58 Developer Edition with some tricks, even though Firefox 52 ESR is still the best "no surprises" option).

Anyway, here's my update: the week, at least in Italy, finishes on Sunday night, there's no "disaster recovery" going on, and NoScript 10's delay on Firefox 57's release is still going to be measured in days, not weeks.

Back to work now, and thank you again for your patience and support :)

NoScript Work
Later today In a couple of days, if everything goes fine, and definitely by the end of this week, NoScript 10, the first "pure" WebExtension NoScript version, will be finally released for Firefox 57 and above, after years of work and months NoScript 5.x living as a hybrid one to allow for smooth user data migration.

NoScript 10 is very different from 5.x: some things are simpler, some things are improved, some are still missing and need to wait for WebExtensions APIs not available yet in Firefox 57. Anyway, whenever you decide to migrate, your old settings are kept safe, ready to be used as soon as the feature they apply to gets deployed.

If you're not bothered by change, you're ready to report bugs* and you're not super-paranoid about the whole lot of "NoScript Security Suite" most arcane features, NoScript 10 is worth the migration: active content blocking (now more configurable than ever) and XSS protection (now with a huge performance boost) are already there. And yes, Firefox 57 is truly the most awesome browser around.

If, otherwise, you really need the full-rounded, solid, old NoScript experience you're used to, and you can't bear anything different, even if just for a few weeks, dont' worry: NoScript 5.x is going to be maintained and to receive security updates until June 2018 at least, when the Tor Browser will switch to be based on Firefox 59 ESR and the "new" NoScript will be as powerful as the old one. Of course, in order to keep using NoScript 5.x outside the Tor Browser (which has it built-in), you have to stay on Firefox 52 ESR, Seamonkey, Palemoon or another pre-Quantum browser.
Or you can even install Firefox 58 Developer Edition, which allows you to keep NoScript 5 running on "Quantum" with the extensions.legacy.enabled trick. Just please don't block your updates on Firefox 56, it would be bad for your security.

Let me repeat that: your safest option for the next few days is Firefox 52 ESR, which will receive security updates until June 2018.

So, for another half-year you there will be two NoScripts: just sort your priorities and choose yours.

Update 2017-11-15

As you probably noticed, yesterday's today has gone away in most time zones and we're not ready yet (Murphy law and all) :(
But we're definitely on track for the end of this week, and in the meanwhile your awesome patience deserves a couple of preview screenshots...
NoScript 10 menu
noscript10-options.png

Update 2017-11-18

The week is not over yet.

* in the next few weeks will move NoScript 10.x source code and bug tracking on GitHub, in the meanwhile please keep using the forum.

Second email I've received today (some headers omitted):

Return-Path: <ludv.jani-2015@vrg.se>
Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_25F4_01D27898.7064C4E0"

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

(HTML omitted)

------=_NextPart_001_25F4_01D27898.7064C4E0--

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: application/octet-stream;
name="PROJECT.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PROJECT.gz"
...

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)

Update

As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

An update from the field by a friend of a friend on the situation in Turkey.
It's hard to believe Erdogan's criminal regime sits practically inside Europe and is a prominent member of NATO.

Today 11 HDP (Peoples’ Democracy Party) parliamentarians were taken into custody. And to-date, 170 media outlets have been banned, 130 journalists in prison, and 30 democratically elected Kurdish Mayors in prison.

Today, the Turkish police took eleven HDP (Peoples’ Democracy Party) parliamentarians, including the co-chairs Selahattin Demirtas and Figen Yuksekdag, into custody in after-midnight raids. The MPs’ houses and the party’s headquarters were raided, doors were broken and the parliamentarians were forcefully detained.

In the past several months, the government has been using the coup attempt on July 15th as an opportunity to consolidate its rule by eliminating every single oppositional voice in the country, especially the HDP, which halted the authoritarian project of a presidential system both in the June and November elections in 2015 by preventing his AKP to win sufficient number of parliamentary seats to make the necessary constitutional changes.

About 30 democratically elected Kurdish mayors are in prison now and about 70 of them have been dismissed by the central government.

The freedom of expression has been almost entirely undermined. With government decrees with the power of law, over 170 media outlets have been banned. More than 130 journalists are in prison, also including some world-renowned authors and intellectuals.

Most recently, two Kurdish news agencies and several Kurdish dailies were closed and the chief-editor, columnists and journalists of the pro-Republican People Party (CHP) daily Cumhuriyet were detained. Many academics are under criminal investigation for signing a peace petition.

Friends from around the globe, these are days when we most need international solidarity.

On April the 7th at 22:53, Aaron wrote:

I just read a Digital Trends article that states NoScript is a security breach. What's the story here???

It's a story of FUD and sensationalism, which got reported in such a careless way that now makes explaining and correcting readers' perception an uphill battle.
They've just demonstrated that rather than invoking a low-level function directly, like any installed add-on could do anyway, a malicious Firefox extension that has already been approved by an AMO code reviewer and manually installed by the user can invoke another add-on that the same user had previously installed and perform the low-level tasks on its behalf, not in order to gain any further privilege but just for obfuscation purposes.

It's like saying that you need to uninstall Microsoft Office immediately because tomorrow you may also install a virus that then can use Word's automation interface to replicate itself, rather than invoking the OS input/output functions directly. Or that, for the same reasons, you must uninstall any Mac OS application which exposes an AppleScript interface.

BTW, if you accept this as an Office or AppleScript vulnerability, Adblock Plus is not less "vulnerable", so to speak, than the other mentioned add-ons, despite what the article states. It's just that those "researchers" were not competent enough to understand how to "exploit" it.

And I'm a bit disappointed of Nick Nguyen who, rather than putting some effort in rebutting this cheap "research", chose the easier path of pitching our new WebExtensions API, whose better insulation and permissions system actually makes this specific scenario less likely and deserves to be praised anyway, but does not and could not prevent the almost infinite other ways to obfuscate malicious intent available to any kind of non-trivial program, be it a Chrome extension, an iOS app or a shell script. Only the trained eye of a code reviewer can mitigate this risk, and even if there's always room for improvement, this is what makes AMO stand out among the crowd of so called "market places".

« Previous EntriesNext Entries »

Bad Behavior has blocked 787 access attempts in the last 7 days.