PDA

View Full Version : Can I defend against this?



freakedman
05-04-2016, 02:28 PM
I have read that some scripts can be run through active content such as javascript or flash and get hardware information including install dates and serial numbers.

Is this possible, and if so how can I defend it?

kaufen
05-10-2016, 10:02 AM
Good antivirus will decide all you problems.

gordo
05-12-2016, 06:51 AM
also look into NoScript for firefox and ScriptSafe for chrome.

kaufen
06-29-2016, 11:38 AM
Check your computer with DrWeb. It's free soft.

Siseneg
07-20-2016, 03:19 PM
I have read that some scripts can be run through active content such as javascript or flash and get hardware information including install dates and serial numbers.

Is this possible, and if so how can I defend it?


Don't run your browser with JavaScript enabled globally.

A script getting your install date and serial numbers should be the least of your worries when it comes to scripting vulnerabilities. By running your browser with JavaScript enabled globally you open yourself up to everything from heap overflow exploits, to XSS exploits, to exploit kits.

Flash is notoriously insecure. Adobe just released a patch this month for 52 vulnerabilities that could have allowed someone to take control of your machine:

"Adobe's July Patch Tuesday release is once again dominated by vulnerabilities found within the company's Flash Player product where 52 critical CVEs that could allow an attacker to take control of a system."

http://www.scmagazine.com/52-flash-player-bugs-fixed-with-adobes-july-patch-tuesday-update/article/50*0**/


Java (not to be confused with JavaScript) is better, but not by much, and considered by some to be the "second biggest security vulnerability". From a 20*5 article:

"As Java vulnerabilities piled up, Oracle released a Critical Patch Update Advisory this July, containing no less than *** new security fixes! And there was the April 20*5 Critical Patch Advisory (*8 security fixes) and the January 20*5 Patch Advisory before that (*6* security fixes)."

"Moreover, data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after Adobe&#82*7;s Flash plugin."

https://heimdalsecurity.com/blog/java-biggest-security-hole-your-computer/


NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.

NoScript also provides Cross Site Scripting (XSS) protection and will notify you if it detects a problem on a page you visit. If you're depending on an antivirus program to provide protection from something like a XSS attack you're asking for trouble:

https://www.stopthehacker.com/20*2/0*/24/cross-site-scripting-basics/


Personally, I don't have Java or Flash installed on my machines and the first thing I do after installing Firefox is install the NoScript extension.

kaufen
09-05-2016, 06:25 AM
NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.

Siseneg
09-13-2016, 12:06 PM
NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.

I couldn't have said it better myself.

Wait, I already did...

muster
11-06-2017, 09:18 AM
Check your computer with DrWeb. It's free soft.