Yet another attack thats preventable with noscript. If everyone used it properly (eg. not turning on scripts everytime they see a blocked one), cyberspace would be a safer place.

Should we assume that the Linux, *BSD or Apple PCs are immune?

I block "Google Analytics" by default on all websites, regardless of whether I have them on my trusted "White" list..

YEAH!! NOSCRIPT!!!!

...welcome our new polymorphic obfusticating overlords. Got to be an improvement on Europe's current crop of politicians, whose morphing and obfustication leave much to be desired.

...PHORM!

Your comment made my afternoon ;-)

NoScript is great if you don't want to do that much on the 'web.

Sadly almost any website where you want or need to do anything interactive on it (I'm thinking shopping, online banking, library catalogues, you name it) require scripts. So fuck it you either keep safe but fail to do what you need to, or you take a gamble and tentatively enable one of the domains blocked until you get enough functionality working to complete what you need to.

We either need a new way of doing 'useful stuff' on websites that doesn't use scripts, or give up and go back to the old way of going to shops and banks, or calling them up using the phone :-\

you got to admire the brilliance of the minds that can polymorph and obfuscate beyond reasonable detection.

Now if only the got (or could get?) a proper job contributing positively...

Luba kok antud lehel ?

Yeah right !!!!!!!

If this is familiar to anyone using No Script, perhaps they can translate it for the benefit of my teenage daughters and me.

It could be ........... Serbian (?) Russian (?)

Thanks No Script.

I still use it every day, even though I don't know what it says.

ALF

Next thing I knew I was looking at a map of my local drives and a message saying I got a virus detected. Killed the tab instantly.

AVG site labelling reported the site was OK.

But 30 000 web sites invaded. WTF

"NoScript only provides safety in the same way that turning your computer off provides safety"

I agree. I've used NoScript several times in the past and I found it a pain in the ass.

Maybe you NoScripters visit the same selection of sites all the time but I visit new sites on a daily basis. Configuring NoScript every time in an attempt to make each new site half usable turned surfing the web into an ordeal. Did NoScript even stop me getting infected? I doubt it as I never got infected via my web browser before using NoScript. It was, therefore, a massive waste of time.

Now I've switched to Linux and all I need to be secure is my common sense. You NoScripters really need to give it a try sometime if you actually care about security but I suspect many of you only use NoScript because you want the illusion of security.

@ Lionel Baden: good solution, let's wait until somebody steals our bank details or make us part of a DDoSing botnet and *then* we'll start cleaning it up. Never heard the phrase "prevention is better than cure"?

@ John Smith: you probably just fell for an old trick where your browser reflects your system environment variables back at you, and nobody else would see those details. That trick's been around since Windows 95 and has great shock value, but little else.

@ NoScript haters: yes, it's not perfect, but neither is configuring a firewall to allow apps in/out every time I have a new app. Shall we just bother with firewalls either, because they're inconvenient? Oh god, heaven forbid we have a little bit of good old fashioned effort combined with a little bit of good old fashioned common sense, that would surely be too much. Let's just stick with one-click-idiot-level-simple and nice shiny websites that look pretty and deliver malware, than have to make even the slightest, most basic bit of effort. I, too, hated NoScript when I first used it. I've reinstalled it since and taken a little bit of time to figure out how it all works, and now I love it. Grow up and stop viewing the internet in terms of black and white.

What is the effing point of giving out scary advisories with useful information missing... such as the domain names we should be checking for in our log files?

If I may interrupt the lusers boasting about Linux and Noscript for a moment, I'd like to know the details of this "common application" vulnerable to SQL injection. Some of us have to look after these web servers, you know.

The number of sites which absolutely require javascript is decreasing. Nowadays it is much easier to argue for a scriptless fallback to every bit of javascript functionality with clients and pointy-haired bosses, due in part to the rise of NoScript. Which in turn makes it more likely people will use NoScript, confident that sites they're using will still actually work.

Half a million downloads per week is not to be sniffed at (although that probably only translates to about half a million active users, as it is very frequently updated).

Also, I haven't studied this particular attack, but it would be unusual if the script is hosted on the same domain as the site, as that would require two separate modifications to the site's code. In which case the most common NoScript habit of only allowing scripts from the same domain would prevent it from running, assuming the site is in the user's whitelist or actually requires scripts to be enabled. IMO NoScript is "good enough" protection against script-borne attacks. Shame it requires a certain level of knowledge to use effectively.

This is interesting in light of Saturday's other article on El Reg about the M$/Asus puff-piece/FUD website www.itsbetterwithwindows.com for netbooks (http://www.theregister.co.uk/2009/05/30/its_better_with_windows/).

Netbooks with Linux are one of the IT industry's best efforts at producing secure on-line appliances for Jo/Jill Public to use with relative confidence that they won't be pWn3d. All the more so with so many legit websites compromised in this way. Just a shame to see a decent company like Asus get muscled into M$'s monopolistic attempts to crush all that is Open Source.

Now stop your cock waving.

"you probably just fell for an old trick where your browser reflects your system environment variables back at you"

That sounds about right. However my usual response is *never* to click on something offered as a "Solution." Just dump the page. On the up side from the article the attack failed to find any of the silent gaps it would have used otherwise.