Is it safe to run Javascrpt in a browser yet?

[malbyqui]

I've been a paid user of Malwarebytes for many years.

Around 2004 I did a ton of research on Windows infections.  Javascript on web pages was shown to be a huge percentage of the infection vectors.  And considering that I scan email-attached documents with VirusTotal before I open them in a Sandboxie instance, javascript appeared to be the pretty much the only way I'd ever get infected.  So I installed NoScript in Firefox and I've been using it to severely limit javascript for the last decade.  I've never been infected, that I know of, and I scan often with Eset and MWB.  

Over the years, though, more and more sites don't work without javascript.  In the last year it has gotten to be a big problem.  I'm starting to move all my browsing into Firefox in Sandboxie, so I can run javascript, but this is a terrible solution because everything (bookmarks, etc.) get dumped at the end of the session.  So I'm looking into the javascript question again.  I'd love some feedback.

1. is javascript still a huge hole in security, or has it somehow become 'safe' to allow web pages to run javascript?  A quick scan of the Malwarebytes forum shows a lot of javascript malware.

2. Does anyone have an opinion of Sandboxie, or should I just give up, and run a Linux VM for my browsing? 

3. If I don't allow javascript in my browser, is there any way to get infected by just browsing? 

[Jcolagrossi]

While there are loads of ways to get infected, I believe our anti-exploit tool can help protect your browsers from java script exploit based delivery of malware.  Have you played with MBAE as of yet? 

You can check it out and even pull down a trial of it from here https://www.malwarebytes.org/antiexploit/

[malbyqui]

But javascript.... are people much safer if they don't run javascript on websites?

[David H. Lipman]

You are safer if you don't access the Internet.

It is like crossing the road.  If you have your head buried in a cell phone and don't look both ways before entering into the road to cross it, you may get run over.  This is called situational awareness.  You must be aware of your surroundings in cyberspace as you must be aware when cross a busy road.

Cars are dangerous.  You can be killed by one or you can get killed in one.  However if you are cognizant of your surroundings and take due care, you decrease the dangers ( risk ) and increase your safety.

JavaScript is an interpreted scripted language that plays many roles.  Your anti virus software will scan any JavaScript and detect if there is malicious code.  Not visiting questionable sites to keep yourself safe in cyberspace is akin to not entering a bad neighbourhood alone at night.

Right now there is a greater threat from JavaScripts that comes to you in email in an archive attached to the email.

Jake has expressed that Malwarebytes' Anti-Exploit can help marginalize malicious JavaScripts.  That's true but only to a limited extent.  The JavaScript would have to take advantage of the scripted language in an odd, unusual or unexpected way.  Otherwise the the JavaScript will be interpreted as running a JavaScript is a normal operation.  The  same goes with Visual Basic Scripts ( VBS / VBA ).  You are concerned over JavaScript but oblivious to the equal risks that VB scripts can also pose.  You are worried about JavaScripts but, what about VB Scripts ?  What about malicious Java Jars ?  You can compare your worry over JavaScripts to protecting your home.  If you concentrate on protecting the front door, you may neglect the back door or a window.  The idea here is you must look at protecting one's home in an overarching point of view.  Not concentrating on one area but looking at it as protecting all potential points of ingress.  Likewise with computer security.  If you concentrate on one type of malware or one aspect of malware ingress you may ignore other potential threats.  

What I am trying to express here is that yes, JavaScript can be an ingress vector of malware just like you can cross a street and get run over by an automobile.  However there are things you can do and actions you can take, or even actions you don't take, that can greatly mitigate the risk.  Life is chock full of risk and if you use Critical Thought, have situational awareness and practice due diligence, you can greatly mitigate risks in your physical space as well as in cyberspace.

 

Edited June 17, 2016 by David H. Lipman