1

I am using and getting my friends to use NoScript, and the argument I usually have to use to convince them is "It prevent website to infect you without you downloading something (by yourself)".

But now that I read a bit about malware, I m not so sure anymore about this, and I d like confirmation;

With Firefox updated to last version and NoScript, is it possible to get infected by drive-by-download without actively trying to get infected?

DrakaSAN
  • 113
  • 9
  • 2
    Absent any vulnerabilities that NoScript doesn't account for, which might still allow drive-by downloads, the answer is still "yes". NoScript does whitelisting based on the domain a script is hosted upon - not by individual scripts. So, if a whitelisted domain hosts a script that does drive-by downloading, then you can still be affected by that script. – Iszi Sep 02 '14 at 14:56
  • So stand true as long as the website itself is not infected? – DrakaSAN Sep 02 '14 at 14:57
  • 2
    NoScript will prevent Javascript from executing (if I'm not mistaken). You may still be vulnerable to exploits found in other technologies, such as Air or Flash. – Chris Murray Sep 02 '14 at 15:01
  • 1
    @ChrisMurray NoScript can (and, if I'm not mistaken, does by default) block Flash and other plugins for non-whitelisted domains. – Iszi Sep 02 '14 at 15:21

1 Answers1

0

A drive-by-download can refer to several things.

  • A download that happens with the user's consent, but they didn't really understand that the consequences.
  • A download that happens without the user's consent or knowledge

The first method is not very "drive-by" in my opinion, but it is still useful to recognize that this is still possible.

Tricking someone into downloading a file can be as simple as them thinking they are clicking a regular link and then downloading an EXE, PDF, etc. You don't need JS or a plugin to do this, but it helps. A very simple example would be a "popup" (just a piece of html styled with CSS to look like a popup) that says "you have a problem with your computer, click ok to download a fix." Clicking this would initiate the download of an EXE, that the user may or may not run.

The second method is a little more rare, and little more dangerous because it can affect even the computer-savvy user. This often involves some sort of exploit in the browser/OS itself or a plugin (flash, adobe reader, etc). NoScript would prevent any exploit that relied on javascript/plugin that was hosted on a domain that was not whitelisted. So if you whitelisted security.stackexchange, and someone hacked into the server and added malicious JS, then you would not be safe from this. NoScript will also not protect you from any other OS/browser vulnerabilities that do not get blocked by NoScript obviously. Take for example, the Windows Metafile vulnerability. It required no JS/plugin and allowed for arbitrary code execution on the victim's machine.

The basic answer to your question is that, yes, drive-by-download is still possible with noscript installed. Even technically possible with javascript and other plugins disabled. However, keep in mind that it still helps to mitigate the threat.

Gray
  • 728
  • 4
  • 15