First off, there is no "automated" system of hardening your browser when doing potentially risky things other than the mechanisms you're already familiar with. If such a system did exist, it would get exploited within some time and then we'd be right back where we started again. So you see where this is going. It's a point/counterpoint game with security systems trying to keep malware off your machine, and malware writers getting ever more clever by the day.
The most important thing people need to realize is that the biggest exploit on any computer system is the user. In your father's case, it's possible that he might have been a victim of a drive-by download, but it's far more likely that he was simply tricked into downloading the virus himself. Finding and exploiting software vulnerabilities is hard. Lying to people is much easier and much more effective from the malware writer's point of view.
There are only two things that are tried-and-true measures for keeping your computer virus-free:
- Keep all your software patched and up-to-date.
- Keep yourself educated and be smarter than the malware.
There are simply no substitutes to these two things. If you fall behind in either then it really doesn't matter what kind of malware protection you have.
Now, to address your questions specifically:
- If I have a blank javascript whitelist in this "hardened browser", then does Noscript really successfully block all Javascript-borne threats?
Absolutely it does. If you have not whitelisted a domain, then client-side javascripts from that domain do not run, period. Bear in mind, however, that NoScript does not run on a per-tab basis. If you whitelist a domain, then javascripts from that domain will run in all your tabs.
- Among all image formats, which formats are absolutely positively impossible to exploit? I have seen the WMF vulnerability, so WMF is not on that whitelist, but what image formats are?
This is a tough one; technically, all of them are, and none of them are. Every media format (audio, video, and images) has metadata in it. The metadata is supposed to be for embedding information about the file into the file itself (example: EXIF data in a .jpg or .tif file, or the album/artist/track info in an .mp3's ID3 tag). Only a colossal idiot would write a media viewer/player that can execute the metadata as if it were program code. That idiot, as it turns out, is Microsoft, and there is absolutely no excuse for it. I don't know what they were thinking (probably has something to do with DRM crap), but Microsoft created that exploit in the first place during a dark time when they literally thought they could "own" the Internet. I don't know what to tell you here other than to stick with open-source software that doesn't do stupid things like executing a data stream.
- Based on (2), is there a way (in Firefox or another browser) to allow only the white-listed image formats to be fetched and displayed?
No. All the common image formats (.jpg, .gif, and .png) are "vulnerable" per the explanation given above. Again, Firefox or Chromium should save you here (I personally don't trust IE or Chrome). Other formats such as .pdf, Flash, Silverlight, Java, etc. are proprietary and are definitely vulnerable because they are closed-source and you have to rely on Adobe, Oracle, and Microsoft to patch exploits found in them. For these, you can just disable the plugin(s) that enable those features or use a blocker that makes you jump though a hoop to display their content.
- Is running the browser in a virtual machine the ultimate answer? Are there any known cases of "mass-market" malware (i.e. outside of security lab tests) that could break through VMWare or similar virtualization software and infect the host PC?
It's not the "ultimate" answer, but it's a much safer way to browse for the uber-paranoid. A VM is a sandbox from which very few processes can escape. The only two attack vectors are network-based exploits (ones that search for other computers on your network), and attacks on the VM "tools" software itself. Both can be mitigated by using the "isolation mode" feature that all VM products have. Also use a snapshot of a known clean configuration. If you infect the VM with a virus, all you have to do is revert the snapshot to get rid of it. Note that you will have to refresh the snapshot from time to time as you install updates/patches.
- Finally, is there a browser specifically designed to be so minimal and hardened, that it simply cannot load anything that could execute as malware?
None like you're thinking that will make web browsing a useful activity. Lynx is a popular text-only browser. It does not support images or plugins of any kind. Unfortunately, it's only an acceptable alternative if you're partying like it's 1989. You could also use a Linux Live distro that runs entirely off a CD or USB flash drive. There are many out there. But you'd have to reboot your computer every time you wanted to browse the Internet. Really, there's no practical answer to this question.
On my personal computer, I run Firefox with 5 separate condoms wrapped around it. NoScript, Ghostery, AdBlock Plus, BetterPrivacy, and Self-Destructing Cookies. I've also tweaked a bunch of privacy settings as well. Using that many layers of security and maintaining whitelists for everything is a hassle. I do it because I work in cybersecurity for a living and my whole life is lived under a figurative aluminum foil hat that I wear everywhere I go. But I would never foist such a configuration on an unsophisticated user like your father. If you don't know exactly what you're doing, these plugins make the Internet practically impossible to use at worst, and no better than an unprotected browser at best.
