• Creator
  • #2262900

    Security issue – Use of JS in TR’s sites and other’s sites


    by oriolus99 ·

    I would like to know what risks/annoyance/displeasure I bring upon myself if I grant JS being executed when reading TR-stuff (in this question I take TR mainly as an example).
    I installed NoScript as an extension in Firefox and now several pieces of JS want to get permission to be executed, originating:
    Honestly I think there will be no harm in executing those scripts (TR cannot afford it if they would), but
    A. what do they do,
    B. how can I generally get an answer to this question by myself, regarding other pieces of JS urging to be executed at numerous other sites, or cannot I?
    BTW, some sites don’t function properly if I deny all scripting; then I simply guess (by name, or by other intuitive triggers) whether to grant a script, running the risk of getting myself into trouble (e.g. giving away my identity or the like).
    I installed McAfee SiteAdvisor as well; can I generally count on no harm whatsoever, if this tool shows the actual site as a ‘green’ one, regarding pieces of JS?

All Answers

  • Author
    • #2487668


      by oriolus99 ·

      In reply to Security issue – Use of JS in TR’s sites and other’s sites


    • #2505795

      JS on TR

      by jfpsf ·

      In reply to Security issue – Use of JS in TR’s sites and other’s sites

      Question A.
      The call is from Revenue Science (an ad company). The is from TR’s parent company CNET (anything from the domain is from CNET), and again is ad related. The scripts running from are the ones that actually are used on the TR site for functionality. So, technically, the scripts are the only ones you have to run, and the site will work without them (just not as prettily).

      Question B.
      The general question of how you can tell which scripts you should let run is a tough one. There is no good answer. The easiest approach is just to trust particular sites. Major commercial sites are extremely unlikely to be trying to do anything that is intentionally malevolent. We have way too much to lose. On the other hand, that approach leaves you vulnerable if the site you trust gets hacked.

      • #2505781

        Trusting a major site

        by dr dij ·

        In reply to JS on TR

        As others say, ‘Trust but Verify’

        The problem with this is that they MAY NOT KNOW that they are serving up a threat. Despite widely publicized ad rotator serving up viruses on a major site a few years ago, you rarely hear of this.

        Yet recently, I GOT a virus while surfing a major IT site other than TR. Symantec caught it trying to load an exe into root of C: drive the instant it tried. I notified the site owners. I’m sure it was not on purpose. Someone else on TR said in spyware chat that they get spyware at their company from ads in the website ad rotators regularly.

        I have the hosts file to block many malware sites. Siteadvisor is good but limited to sites it has tried (you can submit sites for review but not instant).

        Try this: disable activex and then browse to, informationweek, eweek, networkcomputing, etc. (you’ll see just about every page saying ‘may not display right because activex is disabled.)

        My guess is that major companies have holes i n methods they use to check for malware activex, flash, jscipt and probably don’t check jpegs for wmf flaws where stupid MS executes scripts embedded within jpegs or it causes an overflow; however it does this, they can execute arbitrary spyware code.

        The state of security is sad but getting better. Browsers should execute completely in a ‘sandbox’. They should be as indestructable as an appliance. Laundry you throw in your washer shouldn’t be able to reprogram the controls.

        Even emails – I have gotten emails from TWO SECURITY COMPANIES in last 3 months that had embedded activex! FROM A SECURITY COMPANY!

        turns out, them signing the email at the bottom, pasting their company address, adds some activex from word to the email in one case. So they didn’t even know they were doing this!

        • #2504484

          You are absolutely right

          by jfpsf ·

          In reply to Trusting a major site

          Dr. Dij,

          You are absolutely right. The problem is driven by three factors.

          1. The advertisers are constantly demanding more interactivity and tracking in their ad programs. This requires more and more scripting, flash, etc.

          2. Sites are mainly judged by features not security, so engineering tends to focus on adding new stuff. Moreover, a security review is not baked into most site’s engineering process.

          3. There are a lot of employees of major technical companies that aren’t technical themselves.


Viewing 1 reply thread