JavaScript and Flash are powerful Web-site development tools. Their use can either enhance the Internet experience or help exploit computers. It depends completely on the person using the tools.
The people on the dark side will use JavaScript or Flash to exploit a vulnerability. Those three words are the heart of the problem, no vulnerability no exploit. So make sure the computer’s operating system and any installed applications are up-to-date. I just finished a post about how to do that using an application called Secunia.
Not a Utopian model
Fighting a computer exploit is similar to any “cops and robber” activity. The cybercriminal has the advantage of being able to strike first. After which software developers scramble to provide fixes for the exploited vulnerability. Which means the software will be vulnerable until the fixes are installed. You may have read about zero-day threats. They are the ones taking advantage of the inevitable lag.
One not-so-good option
Software developers have a solution for the lag time. They advise to disable JavaScript and Flash until they can resolve the problem. Well, that’s alright for them, but disabling JavaScript or Flash is a pain and doing so usually breaks major portions of Web sites, rendering them useless.
Better option
When it comes to JavaScript and Flash exploits, Internet Explorer isn't much help. I won’t go into the details, but suffice it to say that Internet Explorer needs help. It’s not getting any, so I avoid using it. My Web browser of choice is Mozilla Firefox. It is arguably the most secure browser available. Firefox also has an army of add-on developers, whose products make Firefox even better.
NoScript
I have mentioned the add-on NoScript on numerous occasions, so you know I think highly of Giorgio Maone and NoScript. Giorgio understands that malicious Web sites use JavaScript and Flash exploits to leverage control of vulnerable computers. So, he created a program where the user controls whether JavaScript and Flash code are allowed or not.
Since most Web sites use JavaScript and Flash extensively, NoScript may become annoying. Giorgio tries to minimize that by offering optional configurations. You can learn more about how on NoScript’s FAQ page. Also, if you have any questions, feel free to ask away in the comment section below.
Final Thoughts
Using FireFox and NoScript is not a perfect solution, but it’s better than most I have found. If you have a solution that works for you, I certainly would be interested in hearing about it.
For up-to-date information about Firefox, please visit Firefox: One-stop for security tips. For answers to your questions about Information Technology, please refer to Technology 101: Answers to your IT questions.
Comments
WHAT??? You don't REALLY think that the BEST security practice of not EVER allowing REMOTELY HOSTED EXECUTABLE CODE is a good thing?
There really is no functionality in any website that requires that the end use open their system to security breaches. It can all be done WITHOUT using clientside scripting, like Flash, Javascript [ properly named ECMAscript by the way ], or the least secure one of all, ACTIVEX Controls.
The ONLY reasons clientside scripting is used is that
1) "Web DESIGNERS" are to lazy to work with the more secure for EVERYONE server side processing of application logic.
2) Site Owners don't know that all the fancy UI tricks do NOT require the criminally neglient use of active clientside scripting.
Thanks, Jaqui
I made an oversight by not differentiating between client-side and server-side. Thanks for straightening me out.
Another strategy is to use Comodo Internet Security to prevent buffer overflows to happen. Most exploits revolve around the buffer overflow phenomenon.
Good point EricJH, I thing Comodo approach JavaScript and Flash apps the same way as NoScript. I find Comodo products to be very well thought out.
I use Comodo and NoScript on my XP machines, but for now Secunia reports Vista x64 IE8 to be secure for everything except cross-scripting, and then you have to be dumb enough to click to give it permission to change sites, mid-step.
So on this machine, I use FF sparingly; becuase, if I give the trusted site permission and they've been drive-by'ed; I'm still Java and Adobe vulnerable.
I'll stick with Vista IE 8 x64, where at least I have only one rather retarded vulnerability, instead of three!
Got something to say?
Examiner.com is looking for writers, photographers, and videographers to join the fastest growing group of local insiders. If you are interested in growing your online rep apply to be an Examiner today!