I had a lengthy discussion with Giorgio Maone (author of the NoScript extension) about what is a security solution and what isn’t. Starting point was my statement that, while being excellent for getting rid of annoyances, neither Adblock Plus nor NoScript are really security solutions. Both have the potential, so why not?
Let’s look at the easier case first: Adblock Plus. Adblock Plus is structured as a blacklist, you usually specify the addresses that you don’t want to load. So if there is a security issue that can be solved by blocking a certain address you will have to add a filter for this address. Requiring an action for each single vulnerability discovered disqualifies Adblock Plus, a real security solution would need to block everything unless explicitly allowed. Right now only the extremely rare case of malware-infested ads would be blocked by default however.
Ok, that isn’t exactly true. I use Adblock Plus to ensure the security of my Thunderbird. My blacklist in Thunderbird has only one filter: “*”. Yes, I block everything unless it is explicitly allowed with an exception rule like “@@|http://img.worsethanfailure.com/*”. So why can’t you do the same in the browser? Because it would make web surfing impossible, unlike a mail client the browser is supposed to connect to numerous different servers. Still, once two new features are in place they will allow you to add some general rules to you list, e.g. “*$object” and “*$script,third-party”. The former will block all objects — those are rarely really needed and you will be able to unblock individual objects temporarily on case-by-case basis. The latter will block all scripts the page loads from third-party servers, those are always a security risk (I wonder whether this will actually break any pages). But until these features are in place and properly documented Adblock Plus isn’t a security solution.
Ok, you need an XSS vulnerability. Is it difficult to find one? In my experience — no. Two weeks ago I looked for XSS vulnerabilities on Yahoo just to prove the point and easily found 8 of them. One (and another one I found later) is still open, and I am sure that hadn’t I reported them all these vulnerabilities would still be open and allow me to run my attacks. Note that Yahoo is one of the more secure sites on NoScript’s default whitelist, the extreme case being bugzilla.mozilla.org that is vulnerable to XSS by design.
All this together means that NoScript will only protect against an attacker who either doesn’t know about NoScript or is too lazy to work around it. Giorgio Maone said that he will remove the default whitelist which is certainly an improvement — but guessing what a user has in his whitelist is still easy (and NoScript users are really forced to whitelist sites). IMO anything that depends on attacker’s ignorance or laziness cannot be called a security solution — sorry, NoScript.
To reiterate the point: it isn’t enough to block by default, you also have to make sure that it is reasonably complicated for an attacker to make an exception apply to him. You don’t see it only in NoScript, Internet Explorer’s zone policies suffer from the same issue — they become worthless the moment you manage to inject your code into some page in the trusted zone. That’s why this model was never implemented in Gecko, it only lulls users into a false sense of security. Even the whitelist in Adblock Plus suffers from this issue if used improperly — that’s one of the reasons I have been so harsh on Filterset.G that uses very general whitelisting making it easy for advertisers to create virtually unblockable ads.