Linked by Howard Fosdick on Sat 31st Dec 2011 07:57 UTC
Bugs & Viruses Columbia University researchers claim millions of HP printers could be open to remote attack via unsecured Remote Firmware Updates. Cybercriminals could steal personal information or attack otherwise secure networks. HP agrees there is a theoretical security problem but says no customer has ever reported unauthorized printer access. The company denies some of the claims and is still investigating others.
Thread beginning with comment 501789
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Surprised ?
by ssokolow on Sat 31st Dec 2011 17:55 UTC in reply to "RE[2]: Surprised ?"
ssokolow
Member since:
2010-01-21

Actually, you can't do that with JavaScript. As I mentioned the attacker just places an -tag.

Well, I guess you can do that with JavaScript but it doesn't have any advantage over using an image.

They might use JavaScript to generate a long list of -tags to try different IP-addresses though.

Just sending a longer HTML-page is easy too ofcourse.

So the only thing you are protecting yourself against in this case is an attacker which expects JavaScript to be available and working.


You misunderstand. NoScript's name is unfortunate because it hasn't merely whitelisted Javascript for a very long time.

The ABE module hooks into Firefox's HTTP subsystem and is capable of inspecting and refusing any request not made completely independently by a plugin like Java or Flash.

By design, it does intercept exploits made using <img> tags, stylesheet <link>s and @imports, and all manner of other mechanisms attackers can imagine.

(Of course, it doesn't block exploits via Java or Flash-native HTTP, which is why I also use the securely-implemented FlashBlock-like functionality too)

Reply Parent Score: 4

RE[4]: Surprised ?
by Lennie on Sun 1st Jan 2012 01:55 in reply to "RE[3]: Surprised ?"
Lennie Member since:
2007-09-22

Ohh, I wasn't aware of that. That explains a lot.

I don't use it, I think it has the wrong whitelist method.

Reply Parent Score: 2

RE[5]: Surprised ?
by ssokolow on Sun 1st Jan 2012 16:30 in reply to "RE[4]: Surprised ?"
ssokolow Member since:
2010-01-21

Ohh, I wasn't aware of that. That explains a lot.

I don't use it, I think it has the wrong whitelist method.


Fair enough but, these days, it IS basically a collection of all the security features that aren't in Firefox because they may require too much technical understanding for granny. (eg. FlashBlock-like click-to-play, ABE, an XSS filter, clickjacking protection, etc.)

Have you tried using NoScript with the whitelisting turned off ("Globally Allow Scripts" mode)? You can use the other features without it.

Reply Parent Score: 2