zabbix
+ Reply to Thread
Results 1 to 8 of 8

Thread: Can I defend against this?

  1. #1
    Join Date
    Apr 2016
    Posts
    2

    Can I defend against this?

    I have read that some scripts can be run through active content such as javascript or flash and get hardware information including install dates and serial numbers.

    Is this possible, and if so how can I defend it?

  2. #2
    Join Date
    May 2015
    Posts
    33
    Good antivirus will decide all you problems.

  3. #3
    Join Date
    Apr 2007
    Posts
    942
    also look into NoScript for firefox and ScriptSafe for chrome.

  4. #4
    Join Date
    May 2015
    Posts
    33
    Check your computer with DrWeb. It's free soft.

  5. #5
    Join Date
    Oct 2002
    Posts
    50
    Quote Originally Posted by freakedman View Post
    I have read that some scripts can be run through active content such as javascript or flash and get hardware information including install dates and serial numbers.

    Is this possible, and if so how can I defend it?

    Don't run your browser with JavaScript enabled globally.

    A script getting your install date and serial numbers should be the least of your worries when it comes to scripting vulnerabilities. By running your browser with JavaScript enabled globally you open yourself up to everything from heap overflow exploits, to XSS exploits, to exploit kits.

    Flash is notoriously insecure. Adobe just released a patch this month for 52 vulnerabilities that could have allowed someone to take control of your machine:

    "Adobe's July Patch Tuesday release is once again dominated by vulnerabilities found within the company's Flash Player product where 52 critical CVEs that could allow an attacker to take control of a system."

    http://www.scmagazine.com/52-flash-player-bugs-fixed-with-adobes-july-patch-tuesday-update/article/50*0**/


    Java (not to be confused with JavaScript) is better, but not by much, and considered by some to be the "second biggest security vulnerability". From a 20*5 article:

    "As Java vulnerabilities piled up, Oracle released a Critical Patch Update Advisory this July, containing no less than *** new security fixes! And there was the April 20*5 Critical Patch Advisory (*8 security fixes) and the January 20*5 Patch Advisory before that (*6* security fixes)."

    "Moreover, data extracted from our own database confirms that Java is the second biggest security vulnerability that requires constant patching, after AdobeR*7;s Flash plugin."

    https://heimdalsecurity.com/blog/java-biggest-security-hole-your-computer/


    NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.

    NoScript also provides Cross Site Scripting (XSS) protection and will notify you if it detects a problem on a page you visit. If you're depending on an antivirus program to provide protection from something like a XSS attack you're asking for trouble:

    https://www.stopthehacker.com/20*2/0*/24/cross-site-scripting-basics/


    Personally, I don't have Java or Flash installed on my machines and the first thing I do after installing Firefox is install the NoScript extension.
    Last edited by Siseneg; 07-20-2016 at 08:55 PM.

  6. #6
    Join Date
    May 2015
    Posts
    33
    NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.

  7. #7
    Join Date
    Oct 2002
    Posts
    50
    Quote Originally Posted by kaufen View Post
    NoScript is a great extension and will allow you to only enable JS for a trusted site you visit that cannot be viewed properly or will not function properly without it, and then only the scripts necessary to facilitate it, which more often than not is not every script on the page. Flash requires that JavaScript be enabled to function, so not having it run automatically when you land on a page should prevent that type of exploit.
    I couldn't have said it better myself.

    Wait, I already did...

  8. #8
    Join Date
    Jan 2017
    Posts
    2
    Check your computer with DrWeb. It's free soft.

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts