Csdrhrt

The article titled "iPhone, IE, Firefox, Safari get stomped at hacker contest" at The Register website discusses that Firefox can be exploited.

I wonder if NoScript protects against the kind of exploits written about; or whether the browser can be exploited regardless of having the extension loaded.

Any opinions? Might make this a community wiki given that it's not simple problem/solution post.

The site doesn't go into details on exactly what exploits were used, so it's impossible to tell if they would have been thwarted by NoScript.

NoScript blocks execution of all JavaScript and 3rd party scripting (like flash/sliverlight), so pretty much leaves you with just basic HTML. While it's certainly possible that a rendering bug in a browser could expose a vulnerability in pure HTML, it's much less likely as no code is being specifically executed in the same way as with a JavaScript engine. The attackable surface area is drastically reduced so the likelihood of finding a successful attack is lower.

The other area to consider of course is that the attack could target NoScript itself. There is certainly a chance that NoScript has bugs that allow remote code execution.

Finally, you need to consider user actions. How rigorously do users check that a site is trustworthy before whitelisting it. Do you perform an in depth code review of a site and all its scripts before you whitelist it, or do you just hit allow when you see "This site requires javascript". I suspect it's probably not hard to get most users to whitelist your site, because as soon as they do, they re-expose themselves to a lot of those attacks again.

I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).

The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.

Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.

And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).