Browser Security Test - Security | DSLReports Forums (Page 3)

Author

All Replies

mysec
Premium
join:2005-11-29
kudos:4

Re: Browser Security Test

said by SpannerITWks:

The thing is, Most people out there are not that clued up, so having Scripting enabled in ANY browser, is just One sure way they can and do Keep getting blasted, Often !

My favorite quote:

"Just because Hobbs' shoes are too tight, why should my feet hurt?"

Just because statistics show millions getting blasted, why should that happen to me - or the home users I help? It doesn't.

Why should we have to disable useful functions, like js, and deprive ourselves of useful tools, like email attachments?

It doesn't have to be.

regards,

-rich

______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

to forum · permalink · 2006-12-29 18:52:28 ·

Buddel
If it ain't broke, don't fix it.
Premium
join:2004-03-06
EU
kudos:3

1 edit

reply to Mele20

said by Mele20:

I don't understand advising folks to turn off javascript. Doing that screws up browsing and it is perfectly safe.

I don't think it's perfectly safe but I agree that it screws up browsing, so I do not turn off javascript. Maybe I feel a little bit less secure but at least the sites I go to load the way they should, which is one good reason for me not to turn off javascript.

to forum · permalink · 2006-12-29 18:53:42 ·

norwegian
Premium
join:2005-02-15
Outback

Reviews:

·WestNet Broadband

reply to DSHIELD

Did the tests on Opera with default settings and got a result of zero. But there was holes.

Kaspersky results;

detected: malware Exploit.VBS.Phel.a URL: hxxp://webtest.scanit.be/bcheck/session/sid-8ed20d5c82cffa6db3693522ae64dcf6/test-bid11467.php

detected: malware Exploit.HTML.ViaSWF URL: hxxp://webtest.scanit.be/bcheck/session/sid-8ed20d5c82cffa6db3693522ae64dcf6/test-bid6481.php

Also the warning in Opera as shown in the screen shot. Haven't tested IE7 though, and I don't run anything else.

Lucky the results were for known exploits etc. If they tested for unknown exploits they may have found more holes.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

to forum · permalink · 2006-12-29 19:26:03 ·

hpguru
Curb Your Dogma
Premium
join:2002-04-12

2 edits

reply to AB

said by AB:

DSLR uses IFrames sometimes. I suspect disabling it would give you less functionality on this site, among others.

The setting "Launching programs and files in an IFRAME" does not disable the use of the IFRAME element. It simply limits the functionality described here.

As for JScript/Javascript, I also have it enabled in the Internet zone but I use Proxo to remove all active content from pages before my browsers ever see them. This has the same benefit of disabling scripting in the Internet zone but still allows me to selectively allow scripting for certain Internet zone sites (Proxo whitelist) and to inject my own scripts into pages. Even so, when I was maintaining hpHOSTS I routinely set Proxo into bypass mode while inspecting some of the nastiest sites because I can't determine if a site is up to no good if Proxo removed all their nasties. In all those years I never got hijacked, exploited or infected, not even a little.

Btw one thing Proxo users can do to make IFRAME elements a lot safer is to add Microsoft's proprietary SECURITY attribute to the IFRAME tag and set its value to "restricted". This will force the content displayed in the Iframe into the Restricted zone regardless of the zone(s) which the host page or framed page reside in, rendering the framed page quite benign. The only downside to this is that every page containing an IFRAME element will now be indicated to be in "Unknown Zone (mixed)" in IE's status bar. This is nothing to be concerned about but it is unsettling if you don't know what it means.

Edit: Here is the documentation of the above mentioned SECURITY attribute with examples.

SECURITY Attribute
--
Where's Jesus?
Dear Jesus!

to forum · permalink · 2006-12-29 19:31:28 ·

Jan Janowski

join:2000-06-18
Skokie, IL

reply to DSHIELD
I got nothing but 0's too!!

to forum · permalink · 2006-12-29 19:56:00 ·

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4

reply to Cudni

said by Cudni:

Javascript unchecked can be as damaging as activex (in allowing malware/spyware). if still using proxo it is probably filtering a lot of bad code.

Cudni

True. But then the advice, seems to me, should be for people to get Proxo with either Sidki's latest or Grypen's configs. I can't imagine surfing the web without Proxo. It is the one application (besides a browser) that I have to have. You do not have to know how to write scripts for it. Just install it with one of the above configs and use the set that the author recommends for beginners.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/

to forum · permalink · 2006-12-29 20:48:43 ·

jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland

reply to DSHIELD
Interesting. IE7 fully patched, so is Windows XP and ofcourse latest Firefox 2.0.0.1. However, the test claimed that I have following high risk vulnerabilities:
- Microsoft Internet Explorer %00 Arbitrary File Execution Vulnerability (bid3578)
- Microsoft Internet Explorer MIME Header "Content-Type: audio-x-wav" Attachment Execution Vulnerability (bid2524)
- Microsoft Internet Explorer Content-Disposition Handling File Execution Vulnerability (bid4752)

So...WTF?
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.

to forum · permalink · 2006-12-29 21:15:03 ·

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4

reply to DSHIELD
IE6 passed. (But Sidki's timer on his Proxo config set made it difficult to run the test. I had to right click on the time for each test (the TimeOut is set for one second) to run the test without delay).

to forum · permalink · 2006-12-29 21:32:31 ·

SpannerITWks
Premium
join:2005-04-22

reply to DSHIELD
mysec

My comments wern't directed at you or others on here " in the know " but rather about All those other people out there who do get blasted who don't know about such things.

-

It's been a long time since i took their test, so outa curiosity to see what happened this time round, i went and done and did it -

Same as the last time all clear, and that's with IE6 on 98SE ! And i chose to take all 40 tests leaving nothing out, even though some wern't supposed to be applicable.

Oh it got my browser version wrong, but there's a Very good reason for that lol.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks