I hope this is not true. I asked Giorgio Maone if this is true, but I found information that NoScript does not block SWF ActionScript and one needs a combination of ABP + NoScript + FlashBlock to be protected against the so-called clipboard attack.
Now here was me thinking FlashBlock uses javascript and as such would be blocked by NoScript.
Extract of an email with the flsahblock developer Nov 2005, I have no idea if this situation has changed though as I have subsequently never installed flashblock
.
: Aha! For flashblock to work, you need to enable javascript in Firefox.
: (Tools->Options->Content->Enable Javascript).
: Flashblock will also not work if you are using the NoScript extension,
: but in this case NoScript comes with it's own Flash/Java/etc blocker.
I wasn’t aware that JavaScript was a requirement, my failure to fully
read the available documentation, the FAQ “Flashblock doesn’t work if
NoScript is installed.” However, I don’t have Flash forbiden in
NoScript, this obviously doesn’t allow flashblock to work.
I wanted to clear this one up, because there is so much misinformation going around, you would not, no you would not really believe it, and even on the most trustworthy of sites, you know…
I found the original misinformation here: http://www.security.nl/article/19364/1/Firefox_met_Noscript_kwetsbaar_voor_klembord-malware.html
This says in good Dutch: Firefox_with_NoScript_vulnerable_for_clipboard_malware…
Other sites say NoScript “not always” protect against clipboard malware…
There is a proof of concept here to test: http://raffon.net/research/flash/cb/test.html
NoScript normally blocks it, you have full control over what runs inside the Mozilla browser.
Now Security Nl is cited on so many Dutch security sites (like your The Register etc.)
Does avast protects us against the proof of concept test for instance if you run it in IE7?
Hey polonus,
No, Avast does not protect against the test. I did find out that after running the test, CCleaner will clear the clipboard in IE7, But don’t know if this works with the real thing.
Yep, that is why when I close a computer session I always have a full routine of ATF and ClearProg cleansing combined, my friend. End a computer session with a bit of crap cleaning never did anybody any harm.
Well the proof of concept demonstrated the need for in browser security like NoScript.
I would say if IE8 would come with something similar as NoScript (and please leave the NoScript default settings, else you will do so at your very own risk) I would use it more often, panic button or not?!?
I’m not disputing any of that, just that you can’t use FlashBlock in conjunction with NoScript to combat this (or anything else) as they won’t work together. Unless as I said flashblock no longer uses JavaScript.