Curious
Microsoft manages 3 patches in 6 months and still can't seem to get it right. NoScript ticks along with regular updates, and if there are any exploits against it I've yet to hear of them.
Microsoft preps fix for IE 8 flaw that makes safe sites unsafe
Microsoft will release an update intended to rid Internet Explorer 8 of a vulnerability that can enable serious security attacks against websites that are otherwise safe. The change, which will be introduced in June, will be the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site …
-
Tuesday 20th April 2010 23:30 GMT Anonymous Coward
In other news...
"the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site scripting filter, attacks against websites."
Oh noes! This is their third attempt - have they got it right this time?
Is there *any* MS software that doesn't have a security risk? What about "calculator" and "solitaire"?
-
Tuesday 20th April 2010 23:30 GMT Neal 5
@Will Godfrey
I believe that there is some confusion that you are continuing to promote. Tell me if I'm wrong, my asumption is that the xss filter in IE8 assumes web sites to be whitelisted but filters the script, NoScript on the other hand assumes all sites to be blacklisted,blocking all scripts and basically leaving just HTML, and that you must manually set NoScript to whitelist the site before any scripts work. Now, I assume you have either the time to manually examine all the script on a website before you manually turn NoScript on to whitelist the site, or you just don't or can't be bothered to manually do either or both.
Whatever, NoScript is not invincible, and there are and will be again cases of NoScript being exploited, as it has been in the past. If you really require that your machine remain uninfected to the extent that browsing becomes a chore, the safest option of all is, not to browse.
-
Wednesday 21st April 2010 12:17 GMT Anonymous Coward
@Neal 5
Or just use Opera and have the choice of whitelisting OR blacklisting scripting.
You can disable scriping across the board, and turn it on for individual sites
OR you can allow scripting across the board, and disable it for individual sites.
(F12 opens site preferences, Shift F12 opens global preferences)
Can can of course apply the same logic to Plugins, Animated Images, sounds, Flash, Content Blocking and Cookie Handling to create the perfect setup and balance of functionality/security/privacy. You can of course just use a Private Tab too. (in 10.5x click on the New Tab button and select New Private Tab, all browsing in this tab is private)
-
Wednesday 21st April 2010 13:43 GMT Tom Melly
Am I Missing Something?
The article implies that IE8 will attack the site, not the user. If so, why is this IE's problem? The sites will still be vulnerable to black-hatters, who can use whatever tool they want.
I may well have got the wrong end of the stick - cross-site scripting attacks make my head hurt...
-
Wednesday 21st April 2010 15:03 GMT noboard
Grinds my gears
What gets me at the moment, is if a site has a valid certificate but displays non secure content, the padlock is removed on standard SSL sites. If you happen to have one of the stupidly expensive SSL certs that turn the bar green, display in secure content still displays the padlock.
MS in bed with verisign to force people to pay for the overpriced SSL certs?
-
Wednesday 21st April 2010 19:56 GMT Mike 137
Why?
The real reason for this and similar foul-ups from all vendors is the appallingly low level of expertise among developers/programmers. Sure they can _code_ but they clearly can't see the functional implications of the code they create.
Until software development becomes a genuine engineering discipline performed according to sound core principles by attentive, thoughtful and competent people, things will never change for the better, and we'll go on having to apply streams of patches. Would you fly in a plane that required "patching" every few days? Not bloody likely! So why do we tolerate it in software? Probably only because the vendors already have us by the balls, so we hand them our hearts and minds.
-
Wednesday 21st April 2010 19:56 GMT Will Godfrey
@Neal 5
You might like to take a look at the NoScript website. It does rather more than you seem to think.
Also, I find a general 'block' policy far more useful that a general 'allow' policy. Apart from anything else my browser runs faster and cleaner without the dozen or so third party scripts that seem to come with most websites these days (and are of no benefit at all to me).
As for your last comment... bit silly really.
This topic is closed for new posts.
Biting the hand that feeds IT
