ninersfan
join:2001-02-09
Hayward, CA
| How to Cope with Internet Scripting Annoyances
Got this in my searchwin2000.com email newsletter today and thought it might be of interest to Security Forum readers:
---
COPE WITH INTERNET SCRIPTING ANNOYANCES
by Tom Lancaster
»searchwin2000.techtarget.com/tip···2F283640
One of the most annoying things Web surfers encounter are Web sites that open new windows by themselves, or maximize the existing window to display ads or otherwise monopolize your attention. The method usually used to accomplish this is JavaScript or ActiveX, with the former being much more common in my experience. JavaScript and ActiveX, if left unchecked can do some pretty nasty things to your
computer, particularly since there are so many exploits around. So you want to protect yourself from these potential security hazards.
However, there are so many good sites now that use JavaScript for something useful, that turning it off disables half of why you use the Internet in the first place.
Perhaps the best way to deal with this solution is the zone feature built into Microsoft's Internet Explorer, which hardly anyone ever uses. Zones are simple to understand: the "Internet" is all sites that aren't in one of the other three zones. "Local intranet" is for stuff inside your firewall or company. "Trusted sites" and "Restricted sites" are buckets for you to configure.
This is easy to do because, if you're like most surfers, you've got around 10 or 20 sites that you read every day, which are usually book-marked, then you follow links from these sites to hundreds of other sites. If this sounds like you, then click Tools -> Options and then the "Security" tab in Internet Explorer. Next, click "Trusted sites" and then the "Sites" button. Add the URLs from your bookmark page to this zone.
This allows you to set different security attributes for each of the four zones. For trusted sites, you can leave it default, or modify it if some of the sites require something special. Do this by pressing the "Custom Level..." button at the bottom of the Options dialog box.
Now, you can adjust the Internet zone's settings to disable or prompt you before any JavaScript is executed, by clicking the "Internet" icon and then pressing the "Custom Level..." button. These settings won't bother your regular sites, since they're not in this zone anymore, but it will keep some new site from opening five new windows and maximizing them, or hiding your menu and tool bars, etc.
____________________________________________________
I'm already using various tools to make it easier to accomplish the objectives of the above article and thought by sharing those here this would be more helpful to others that share my concerns.
IE Spyad - Advertising and Site Blocking through IE Zones
»www.staff.uiuc.edu/~ehowes/resou···#IESPYAD
IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known advertisers, marketers, and spyware pushers to the Restricted sites zone of Internet Explorer. Once IE-ADS.REG is "merged" into your Registry, most direct marketers and spyware pushers will not be able to resort to their usual "tricks" (e.g., cookies, scripts, popups, et al) in order to monitor and track your behavior while you surf the Net.
Please note that by adding domains and servers to Restricted sites zone of Internet Explorer, IE-ADS.REG cannot cause Internet Explorer to start blocking ads. You will still see the ads. The Restricted sites zone merely imposes limits on the types of things that those domains and servers can do with your web browser. For example, IE-SPYAD will:
* REDUCE THE NUMBER OF OBNOXIOUS SCRIPT-BASED POPUPS that clutter your screen and force unwanted advertising on you;
* BLOCK THE COOKIES TYPICALLY ATTACHED TO BANNER ADS and which are used to monitor and track your travels around the Internet;
* PREVENT THE USE OF ACTIVEX, JAVA, AND SCRIPTING -- active content technologies that can be used to compromise your privacy and security;
* PROTECT YOU AGAINST AUTO-INSTALLING CRAPWARE from spyware pushers (e.g., BonziBuddy, Gator, Lop.com, et al) that can invade your system, monitor your computer and Internet use, and trash your PC.
---
Enough is Enough!
»www.staff.uiuc.edu/~ehowes/resource6.htm
Enough is Enough! is a lockdown utility for Internet Explorer 5 and 6. When you install Enough is Enough!, it will:
* Lock down your Internet and Restricted sites zones with restrictive settings for dangerous options like ActiveX, Java, scripting, and a few others.
* Severely restrict the use of cookies (but not completely disable them for trusted web sites or for single session use).
* Disable several Advanced settings, including Install on Demand and Third-party Browser Extensions (Optional--Don't use this feature if using a pop-up stopper utility).
* Install Microsoft's IE PowerTweaks WebZone Accessory, putting two new options on your IE Tools menu, with corresponding buttons on your Toolbar: "Add to Trusted Zone" and "Add to Restricted Zone."
---
IE Zone Editor
»www.geocities.com/_SemperFi_/ieze/
What is Internet Explorer Zone Editor?
Internet Explorer Zone Editor is a program that will allow you to edit and modify Internet Explorer Security Zones.
What can IE Zone Editor do?
Add new security zones with icon, name, description of your choice. Edit default security zones (My Computer, Internet, Intranet, Trusted, Restricted).
Add an unlimited? custom security zones.
Note, per the author of this add-on: IE Zone Editor does not work with Internet Explorer Version 6.0.2600.0000
---
SpywareBlaster
»www.wilderssecurity.com/spywareblaster.html
SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
How? By setting a "kill bit" for the CLSIDs of spyware ActiveX controls, it prevents the installation of any of them from a webpage. You can run Internet Explorer with Active-X enabled, but you will never even get a "Yes/No" box popped up, asking you to install a spyware Active-X control (Internet Explorer will never download or run it!). All other Active-X controls or plug-ins will work fine.
---
How to disable or remove the Windows Scripting Host
»securityresponse.symantec.com/av···ing.html
How to disable (or re-enable) the Windows Scripting Host: The program Noscript.exe will disable the Windows Scripting Host. this will prevent viruses from executing automated scripts. Please note that disabling the WSH will prevent all scripts from running on the system.
WSH Anti-Polymorphism Patch
»www.diamondcs.com.au/web/patches···atch=wsh
What is the general purpose of this patch?
To prevent Windows Scripts (such as VBScript and Javascript) from being able to read/write themselves, making Windows Script polymorphism nearly impossible through conventional means.
[text was edited by author 2002-11-12 14:44:33] |
|
mrprotocols
join:2002-08-14
Oakland, CA | nice one thank you |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
|  reply to ninersfan
I'll have to say that for all its security flaws, Internet Explorer's different zones are something I would like to see in other browsers, Opera in particular. Turning off Javascript entirely in Opera works - but it would be nice to be able to turn it off for the general "Internet Zone" just like in IE, and still keep it on for some select few "Trusted Zone" sites. [/hint to browser developers]
--
Mors Principium Est. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| reply to ninersfan
Some good information there that can never repeated often enough. Also, listing some of the tools you find that work well and the reasons that you like them is is excellent. Another site to look at for some really good information is »www.markusjansson.net/erecent.html. Markus is another of our DSLR subscribers and a big help re: security issues.
--
JKK Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to ninersfan
I don't believe IE Zone Editor is "IE6-ready". It is not the developers fault, but MS modified the way zones are handled in IE6.
Instead of "No Script", I would have recommended Jason's Script Sentry.
Also, Jason's Trust Setter makes adding sites to the Trusted zone much faster. |
|
ninersfan
join:2001-02-09
Hayward, CA
| reply to Tuulilapsi
Enough is Enough (top screen shot) adds two easy buttons to your IE toolbar
for easily adding good/bad sites to either your trusted or restricted zones with a single click.
IE-SPYAD's Restricted sites list is based on info from the latest HOSTS file of Stephen Martin (»www.smartin-designs.com/).
(second screen shot shows it in action)
SpywareBlaster in action (3rd screen shot)
Norton Script Disabler/Enabler In Action (4th screen shot)
DiamondCS Security Enhancer
WSH Anti-Polymorhphism Patch (one time application)
(5th screen shot)
And one scripting fix I forgot to include in my first post:
javacool's Windows Media Player Scripting Fix
About This Program
WMP, by default, supports a dangerous feature that allows scripting to be embedded within media files. WMP will then execute the scripting when the media file is played.
The WMP Scripting Fix is a small application that disable Windows Media Player scripting simply, and easily, with the press of a button - scripting can also be re-enabled at a later date with this same program.
available from: »www.wilderssecurity.com/wmpscriptingfix.html
(6th and 7th Screen Shots)
It's also important to be aware of what Browser Helper Objects are "hooked into your Internet Explorer" and make sure they are ones intended and desired.
You will note mine are: A popup stopper, Norton Anti-virus and Acrobrat Reader (8th Screen Shot)
BHOCaptor 0.5
»www.webattack.com/get/bho.shtml
BHOCaptor lets you control the Internet Explorer Browser Helper Objects (BHOs) that are installed on your system. It makes it easy to see what BHO's are installed and to de-activate them. A BHO is a COM DLL that allows developers to customize and control Internet Explorer. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to ninersfan
Power Tweaks Web Accessories also adds two functions, nicely hidden on your drop down Tools menu, rather than cluttering up your toolbar: add to restricted site/add to trusted site.
Says its for W95, but works on 98 as well. Not sure about other OS.
»www.microsoft.com/windows/ie/pre···twks.asp
--
»www.sarahbrightman.co.uk »www.sarah-brightman.com/ |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
|  That is the first time I have even heard my buttons described a "cluttering up your toolbar"!!
Most users find the buttons easier to use the the Menu items. But I must agree, the Restricted sites button is less useful than the Trusted sites one. |
|
ninersfan
join:2001-02-09
Hayward, CA
| reply to La Luna
said by La Luna  :
Power Tweaks Web Accessories also adds two functions, nicely hidden on your drop down Tools menu, rather than cluttering up your toolbar: add to restricted site/add to trusted site.
Enough is Enough functions the same way you mention, with ability to add/remove from the drop down tools menu OR toolbar (first screen shot).
And, with all toolbar icons these can be removed based on your own preferences simply by using the "customize toolbar option" (second screen shot). |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
| reply to R2
Re: your buttons
For some reason, when I click your buttons,
I get a ScriptSentry error.
SS has been behaving weirdly lately,
and I no longer have a merge option
when I right-click a .reg file.
Hmmm?
--
We, are but high apes ..... confusing awareness, with enlightenment. tfpj |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: | Hehe. Are you sure that isn't a TrustSetter error?
Jeez, with the fonts you use, no wonder your computer has problems. 
Maybe time to re-install ScriptSentry?? |
|
ninersfan
join:2001-02-09
Hayward, CA
| reply to dja
said by dja :
For some reason, when I click your buttons,
I get a ScriptSentry error.
SS has been behaving weirdly lately,
and I no longer have a merge option
when I right-click a .reg file.
Hmmm?
Well, I just installed "Script Sentry" to try and duplicate your problem there dja and Ive got it configured according to screen shots posted...
Question, do you first have to enable Windows Scripting Host via noscript.exe for Script Sentry to function properly?
said by jasons-toolbox.com:
Version 2.7.1
Posted: Thursday July, 4th, 2002
Download (164KB)
(Requires Visual Basic 6 Runtimes and Windows Scripting Host.)
I just did the configurations, screen shots above.
Basically, default configurations (with the exception of leaving js [ ] unchecked as I feel I have that appropriately handled through other means previously posted.
--
Where DON'T you want to go Today? |
|
Komputerguy
join:2001-03-29
Melbourne, FL
| reply to R2
Re: How to Cope with Internet Scripting Annoyances
said by R2 :
I don't believe IE Zone Editor is "IE6-ready". It is not the developers fault, but MS modified the way zones are handled in IE6.
It may not be his fault but if MS changed the way it works, he should not "wait around" to see if Microsoft "fixes it" if there is any aspirations to make it work with newer versions of IE. He most likely will be waiting a LONNNNGG time.
--
What can possibly go wrong? |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to R2
said by R2 :
That is the first time I have even heard my buttons described a "cluttering up your toolbar"!!
Most users find the buttons easier to use the the Menu items. But I must agree, the Restricted sites button is less useful than the Trusted sites one.
LOL, I'm sorry, no insult intended. A poor choice of words on my part.
EDIT: Can we make these screen shots any BIGGER? LOL, looks like MY screenshots! Glad to see I'm not the only one that does it.
--
»www.sarahbrightman.co.uk »www.sarah-brightman.com/
[text was edited by author 2002-11-12 19:51:53] |
|
Komputerguy
join:2001-03-29
Melbourne, FL
| reply to ninersfan
said by ninersfan :
"Trusted sites" and "Restricted sites" are buckets for you to configure.
I would be REAL careful about adding anything into your trusted sites list. If I understand XSS correctly and one of the sites you put in the "Trusted sites" zone is susceptible to XSS, then you could be very vulnerable.
--
What can possibly go wrong? |
|
ninersfan
join:2001-02-09
Hayward, CA
| said by Komputerguy :
said by ninersfan :
"Trusted sites" and "Restricted sites" are buckets for you to configure.
I would be REAL careful about adding anything into your trusted sites list. If I understand XSS correctly and one of the sites you put in the "Trusted sites" zone is susceptible to XSS, then you could be very vulnerable.
Is this solution not effective?
XSS Exploit Patch 1.0.0 for PHPNuke and phpbb2
port: »phpnuke.org/modules.php?name=New···sid=4136
Zhen-Xjell writes "This adds code functionalilty to prevent a newly found XSS vulnerability in PHP Nuke and phpbb2 port. Code developed on PHP-Nuke 5.5 and phpbb2 port 2.0.5. The exploit occurs due to the use of quotation marks. This script simply removes them.
This fix is based on the XSS Vulnerability as mentioned here.
Code has been tested at both Computer Cops and Tony Laudanski
ref: »Re: Are you addicted to Security?
--
Where DON'T you want to go Today? |
|
Komputerguy
join:2001-03-29
Melbourne, FL
| said by ninersfan :
said by Komputerguy :
said by ninersfan :
"Trusted sites" and "Restricted sites" are buckets for you to configure.
I would be REAL careful about adding anything into your trusted sites list. If I understand XSS correctly and one of the sites you put in the "Trusted sites" zone is susceptible to XSS, then you could be very vulnerable.
Is this solution not effective?
XSS Exploit Patch 1.0.0 for PHPNuke and phpbb2
port: »phpnuke.org/modules.php?name=New···sid=4136
It may be entirely effective. For those web servers for which is is applicable, that is. What about web sites running entirely with something other than php like PERL cgis or ASP? And will you know the web site you put in the trusted sites list is patched with PHPNuke or whatever it requires to become immune to XSS? You can run tests on each candidate "trusted site" yourself fairly easily. And that's what I would recommend people do before putting it in the list.
--
What can possibly go wrong? |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Komputerguy
said by Komputerguy :
It may not be his fault but if MS changed the way it works, he should not "wait around" to see if Microsoft "fixes it" if there is any aspirations to make it work with newer versions of IE. He most likely will be waiting a LONNNNGG time.
Agreed, but it is somewhat challenging. The way it is right now, things do not work the way they are supposed to -- and it appears to be due to a coding error on Microsoft's part....
You aren't supposed to use ScriptSentry with NoScript. They don't play well together.
If you don't trust a site, don't add it to your Trusted Sites. Perhaps this is too simple, but that is the way I look at it.
[text was edited by author 2002-11-12 20:39:23] |
|
ninersfan
join:2001-02-09
Hayward, CA
| reply to Komputerguy
said by Komputerguy :
It may be entirely effective. For those web servers for which is is applicable, that is. What about web sites running entirely with something other than php like PERL cgis or ASP? And will you know the web site you put in the trusted sites list is patched with PHPNuke or whatever it requires to become immune to XSS? You can run tests on each candidate "trusted site" yourself fairly easily. And that's what I would recommend people do before putting it in the list.
Well, what would you recommend users do that need to run some scripts, I would think the option of selectively adding sites you are comfortable with to your trusted zones is better then not having tightened script settings in the first place?
Maybe you can add your recommendations how to deal with this issue since you brought it up. Specifically, how would you easily run the "test" you mention on a "candidate" for inclusion in one's trusted zone?
I think such information would be a valuable contribution to this thread, and other users besides myself may be interested if it's a reasonable effort to take...
--
Where DON'T you want to go Today? |
|
ninersfan
join:2001-02-09
Hayward, CA
| reply to R2
said by R2 :
You aren't supposed to use ScriptSentry with NoScript. They don't play well together.
That's what I thought, just wanted to make sure before "enabling" Windows Scripting Host. |
|
