Reader Jim Hamm wrote to say:
Hi Terry…Enjoy your newsletter…Thanks for publishing it…Here’s something you might want to take a look at – Script prevention…On my two laptops, I’ve installed the following two programs – one on each computer: NoScript (http://www.noscript.net/whats) and ScriptTrap (http://keir.net/scriptrap.html).
As one of the authors state: “Scripts are small programs that are written in a variety of simple computer languages. They can perform useful functions but they can also be used for less useful and sometimes damaging purposes, the prime examples being computer viruses and trojan-horse programs.”
That type of product and that type of quote really lights up the fireworks! And, not in a good way…
While technically correct, the statement quoted above is misleading in the extreme because the number of web sites that use scripts legitimately far, far outweigh the number that seek to damage your systems.
By the same logic, we would block email programs and web browsers from accessing the Internet because they could allow attacks. Or, block Windows from being installed on PCs. Or block Windows PCs from being able to access the Internet because so many have been subverted and used for attacks and to send spam.
Sure, you can do it, but it’s a draconian solution to a small problem.
Scripts are not computer viruses and are not likely to be “trojan horse programs” either. A trojan horse is a malicious program that you download when you are expecting something nice — like a game or a screen saver.
Just to be clear, intent is a significant part of a "trojan." A bug or a mislabeled file isn’t a trojan horse; on the other hand, a game that surreptitiously opens a channel for an IRC Bot or that installs unexpected adware is a trojan horse.
A script in a web page could be a VECTOR, that is, a mechanism for installing trojans, downloaders and adware — which is the big problem with Internet Explorer’s ActiveX.
The scripts that are exclusively I.E. (VBScript and ActiveX) give the programmer full access to your system. Microsoft seems to be learning, but too slowly.
Almost always, a script on a web site makes a menu work, makes an image change when you mouse over it, makes a web page do a different thing the 2nd time you visit it, or show advertising that the web publisher needs to keep the web site economically viable. In other words, almost always, a script on a web site is designed for legitimate function.
On the other hand, why should an email program even be capable of running a script?
There have been numerous security holes in Outlook and Outlook Express because they allowed VBScript scripts in emails to run when the emails were opened. In my opinion, there is no legitimate reason for a script to be included in an email.
Microsoft Office is getting its share of attacks through scripts — and has ever since the macro attacks with the early versions of Microsoft Word. One of the Office security announced in June was an ActiveX issue in Word — the same security-challenged ActiveX that Internet Explorer uses.
VBScript and ActiveX also are the vectors for malware infections. Or, the attacker could even do something as simple and effective as formatting a hard drive. VBScript and ActiveX simply are no adequately security-limited — MS must have thought about “how to do things” and not “how things might be misused.” Security-consciousness has been a discovery, and re-discovery, at Microsoft in recent years.
Robert A. Heinlein, one of my favorite science fiction authors, coined the term TANSTAAFL.
TANSTAAFL — There Ain’t No Such Thing As A Free Lunch.
Just as brick-and-mortar businesses, web sites (and newsletters) have to make money to stay in business. The authors and owners can not simply give away time and effort — there must be a monetary return. Sites may charge for membership, others may charge for specific inquiries, some newsletters may charge for subscriptions — but most are supported by the advertising — and much of that advertising involves images that the adblockers seek to block.
Anyone who goes to web sites, but blocks advertising, is either naive, not thinking about the impacts of what they are doing, or just not playing fairly. By blocking advertising, you can destroy the economic viability of sites by depriving them of any chance at income.
If sites don’t make money, your “free web resources” aren’t going to be there! Enjoy them while you can…
More from the email…
Both these programs seem to work well, but NoScript seems to have more features. I like the added protection they offer…I plan to continue evaluation of both till I decide on which one to keep….One item of consideration is whether scripts can be spread only by visiting websites, or whether they can come via e-mail….
VBScripts are not “spread.” They are contained in the code of a web site or of an email. Again, I can think of no reason why an email should run a script. Somebody at Microsoft thought it would be cute — before MS discovered that security really was an issue.
ActiveX scripts are not “spread.” They are actually small programs that have full access to your computer. If you don’t use IE, you don’ thave to worry about them.
But, use IE and visit a site that wants to stick you with malware and you’ll get an ActiveX control that downloads a “downloader” — which then downloads whatever the slimeball wants to send you — porn server, spam spewer, ad popups, ad overlays (that show different ads on a site than the site owner put there), etc.
I believe that a good anti-virus program and a good always-running anti-adware/anti-spyware program with always-running protection are far better protection than a script blocker. I recommend and use VIPRE Antivirus Premium.