It’s Official: Javascript is Dangerous!
Unfortunately, Javascript is now considered to be very dangerous. The folks at SPI Dynamics have discovered a way to use Javascript to essentially compromise your network. You can read a more human-friendly version of how this works on ZDNet, though I am going to explain it here.
In short, what happens is you access a malicious web page from your web browser. The Javascript embeded in this page figures out your IP address, scans your network for hosts, determines the kind of router you have, and changes the configuration of your router to open up the wireless access. The script is downloaded from a valid web connection. The script causes your web browser to make connections to other hosts on your network. While you may be using a NAT router of sorts and/or have a software firewall loaded on your system, these things typically won’t protect you. A NAT router only really protects you from connections originating from the outside coming inside. They do not protect against malicious traffic on the inside of your network. Software firewalls won’t work either because your web browser is considered a valid application.
Unfortunately, there is no “fix” to this problem because Javascript is operating as it was designed. The obvious solution seems to be to turn off Javascript. Nice idea, but many legitimate sites also use Javascript. Disabling Javascript will render those sites unusable. The best thing to do is disable all Javascript (and Active Script on Internet Explorer) for all sites except for sites you trust. Fortunately, Internet Explorer provides a way to do this. Firefox does not, but a plugin called NoScript provides that functionality.
Internet Explorer
Note that the following instructions will disable scripting, ActiveX, and Java for all untrusted sites. This will provide additional protection, which of course can be disabled for trusted sites.
Go to Tools > Internet Options… > Security. Click on the Internet icon, the click on Custom Level. Reset the custom settings to High, click Reset. Click Yes. Then scroll down and set the following options to Disable:
- .NET Framework-reliant components
- Run components not signed with Authenticode
-
Run components signed with Authenticode
- ActiveX Controls and plug-ins
- Binary and script behaviors
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Initialized and script ActiveX controls not marked as safe
- Run ActiveX controls and plug-ins
-
Script ActiveX controls marked safe for scripting
- Microsoft VM: Java permissions
- Miscellaneous:
- Access data sources across domains
- Allow scripting of Internet Explorer Webbrowser control
-
Allow script-initiated windows without size or position control
- Scripting:
- Active Scripting
- Allow paste operations via script
- Scripting of Java applets
Click Ok. Now click Trusted sites, then Sites. Add the web sites you trust to this list (e.g. google.com, phoneboy.com).
Mozilla Firefox
Unfortunately, Firefox does not have a mechanism like Internet Explorer to disable scripting on a per-site basis. However, the Firefox add-on NoScript provides this functionality. Download this plugin and restart Firefox. Click on the little S in the lower right hand corner of the Firefox window and select Options. You will see a number of common domains are already added to the list of sites permitted to use Javascript. Feel free to add your own as needed. Also adjust the other options as desired (e.g. letting you know Javascript was blocked).
Browsing without Javascript
You may find that a lot of sites quite simply won’t work correctly after making this change. You might also find less ads on sites because a lot of ad banners utilize Javascript. Just be aware and enable scripting as needed. For the record, aside from the ad banners, my site should work okay without Javascript enabled. 
