Script Blockers and Ad Blockers

Script Blockers
While technically correct, the statement quoted above is misleading in the extreme because the number of web sites that use scripts legitimately far, far outweigh the number that seek to damage your systems.

By the same logic, we would block email programs and web browsers from accessing the Internet because they could allow attacks. Or, block Windows from being installed on PCs. Or block Windows PCs from being able to access the Internet because so many have been subverted and used for attacks and to send spam.

Sure, you can do it, but it's a draconian solution to a small problem.

Scripts are not computer viruses and are not likely to be "trojan horse programs" either. A trojan horse is a malicious program that you download when you are expecting something nice — like a game or a screen saver.

Just to be clear, intent is a significant part of a "trojan." A bug or a mislabelled file isn't a trojan horse; on the other hand, a game that surrepticiously opens a channel for an IRC Bot or that installs unexpected adware is a trojan horse.

A script in a web page could be a VECTOR, that is, a mechanism for installing trojans, downloaders and adware — which is the big problem with Internet Explorer's ActiveX.

The scripts that are exclusively I.E. (VBScipt and ActiveX) give the programmer full access to your system. Microsoft seems to be learning, but too slowly.

JavaScript is a language that web browsers understand, but each web browser is programmed how to handle JavaScript, just as it is programmed to handle HTML.

JavaScript is limited in what it can do, by design, because the designers recognized the importance of security. MS's ActiveScript (unlike most companies, MS named its interpreter for Javascript) should be just as good a JavaScript interpreter as the others — except that Microsoft's market share means the bad guys are most often trying to attack Microsoft's programs.

Almost always, a script on a web site makes a menu work, makes an image change when you mouse over it, makes a web page do a different thing the 2nd time you visit it, or show advertising that the web publisher needs to keep the web site economically viable. In other words, almost always, a script on a web site is designed for legitimate function.

On the other hand, why should an email program even be capable of running a script?

There have been numerous security holes in Outlook and Outlook Express because they allowed VBScript scripts in emails to run when the emails were opened. In my opinion, there is no legitimate reason for a script to be included in an email.

Microsoft Office is getting its share of attacks through scripts — and has ever since the macro attacks with the early versions of Microsoft Word. One of the Office security announced in June was an ActiveX issue in Word — the same security-challenged ActiveX that Internet Explorer uses.

VBScript and ActiveX also are the vectors for malware infections. Or, the attacker could even do something as simple and effective as formatting a hard drive. VBScript and ActiveX simply are no adequately security-limited — MS must have thought about "how to do things" and not "how things might be misused." Security-consciousness has been a discovery, and re-discovery, at Microsoft in recent years.

Sometimes, you will find web publishers who deliberately require you to enable JavaScript in order to view the content. That may be so that they can combine more functionality into the same screen space. It also may mean that they want you to see the advertising that the web site uses to support itself.

Ad blockers
Robert A. Heinlein, one of my favorite science fiction authors, coined the term TANSTAAFL.

TANSTAAFL — There Ain't No Such Thing As A Free Lunch.

Just as brick-and-mortar businesses, web sites (and newsletters) have to make money to stay in business. The authors and owners can not simply give away time and effort — there must be a monetary return. Sites may charge for membership, others may charge for specific inquiries, some newsletters may charge for subscriptions — but most are supported by the advertising — and much of that advertising involves images that the adblockers seek to block.

Anyone who goes to web sites, but blocks advertising, is either naive, not thinking about the impacts of what they are doing, or just not playing fairly. By blocking advertising, you can destroy the economic viability of sites by depriving them of any chance at income.

If sites don't make money, your "free web resources" aren't going to be there! Enjoy them while you can...

More from the email...
Both these programs seem to work well, but NoScript seems to have more features. I like the added protection they offer...I plan to continue evaluation of both till I decide on which one to keep....One item of consideration is whether scripts can be spread only by visiting websites, or whether they can come via e-mail....
JavaScripts are not "spread." They are contained. They are contained in the code of a web site.

VBScripts are not "spread." They are contained in the code of a web site or of an email. Again, I can think of no reason why an email should run a script. Somebody at Microsoft thought it would be cute — before MS discovered that security really was an issue.

ActiveX scripts are not "spread." They are actually small programs that have full access to your computer. If you don't use IE, you don' thave to worry about them.

But, use IE and visit a site that wants to stick you with malware and you'll get an ActiveX control that downloads a "downloader" — which then downloads whatever the slimeball wants to send you — porn server, spam spewer, ad popups, ad overlays (that show different ads on a site than the site owner put there), etc.

A good anti-virus program and a good always-running anti-adware/anti-spyware program with always-running protection are far better protection than a script blocker. I recommend and use NOD32 and CounterSpy, as you have read here many times.