No NoScrlpt and WOT!
-
No NoScrlpt and WOT!
I received an email report yesterday that really shocked me: It seems that the most popular/widely used Firefox addons post a security vulnerability: NoScript (!!), WOT and others. As far as I can interpret, each Firefox extension is a separate "entity," not part of a single extension architecture, and is therefor vulnerable. I immediately disabled the above. But NoScript?? Oh, no! Here I was thinking how secure this critical extension is, but according to the report, it turns out that there is a false sense of security, like the revelation of PayPal's "security." ellenc (P.S. My computer and I feel naked without NoScript.)
-
-
Have a read through this: Firefox Cross-Extension vulnerability discovered - gHacks Tech News
It seems to advise the same as responders to your post on another forum. (There's no need to worry unless you installed a malicious add on in addition to WOT or NoScript)
It should not be possible to install a malicious addon unless you have over-ridden add on signing requirements.
My personal choices:
I run browsers under stripmyrights so that even if compromised files cannot execute or be written to in system folders.
So to use the image shown in the linked article nothing can execute in system folders.
Also use I EMET:
Enhanced Mitigation Experience Toolkit (EMET)
and VoodooShield Pro:
VoodooShield free blocks exploits and more
NOTE: VoodooShield Pro is a paid for program and is not really suitable for inexperienced users.
EDIT:
If you are worried you can scan your current extensions (.xpi file extension) by uploading to VirusTotal.
C:\Users\Username\AppData\Roaming\Mozilla\Extensions
I have just a single unsigned extension and it scans clean.
EDIT 2:
That's my 20 extensions scanned. One false positive detection so no need to disable WOT.
Last edited by Callender; 14 Apr 2016 at 15:10.
Reason: add info
-
No NoScript cont
Thank you ever so much for the time and effort made to provide me with this information. I'll be studying it and will no doubt follow your advise. A million thanks. ellenc
-
-
As a follow up - I found an article that you might like to read:
April security sensationalism and FUD
It explains better than I can why you should not worry about NoScript.
As for the mentioned "embedded font exploits" I added the registry key even though I use EMET.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
-
NoScrilpt and WOT
I greatly appreciate yiur thoughtfullness in providing this followup. ec