Latest browser threat: Clickjacking
- By Jabulani Leffall
- Sep 30, 2008
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Security pros are trying to make sense of a new bug found by
researchers that apparently affects various Web browsers, including
Microsoft's Internet Explorer.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The new threat, revealed late last week by SecTheory LLC CEO Robert
Hansen and Jeremiah Grossman, WhiteHat's chief technology officer,
is being called "clickjacking." According to these researchers,
clickjacking happens when users are directed to malicious Web sites
where hackers lay in wait to take control of a user's browser
profile.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The clickjacking technique "gives an attacker the ability to trick
a user into clicking on something only barely or momentarily
noticeable," explained a warning on the homepage of the United
States Computer Emergency Readiness Team (U.S.CERT). "Therefore, if a user clicks on a web page, they may
actually be clicking on content from another page."
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
The vulnerability reportedly can affect multiple browsers and even
Web applications, such as Adobe's Flash. Browsers at risk include
Internet Explorer, Mozilla Firefox, Apple's Safari, Opera and
Google's new Chrome browser, which altogether constitute more than
95 percent of browser market share, according to Aliso Viejo,
Calif.-based Net Applications.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
"It's pretty pervasive," said Ryan Naraine, an IT security analyst
at U.K.-based Kaspersky Lab. "[The exploit] attacks a fundamental
flaws in the way most browsers work, and cannot be fixed with a
simple patch."
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Moreover, a hacker doesn't need access to a trusted Web site to
rollout a clickjack, the researchers say. It's not so much a Web
site security issue; rather, it's something that browser vendors
need to fix.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Hansen and Grossman were slated to expound on the threat and its
implications at last week's OWASP NYC AppSec 2008 Conference. They
postponed their conference talk on the vulnerability at the
request of Adobe and other "affected vendors," which wanted to
wait until a systemic workaround or hotfix could be applied.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Redmond, Apple and Google have yet to comment on the threat.
However, Mozilla on Monday released updates to its Thunderbird
v2.0.0.17 e-mail application and Firefox v3.0.3 Web browser in an
effort to "address multiple vulnerabilities." The updates are
designed to prevent hackers from executing "arbitrary code,"
stealing personal information, undertaking cross-site scripting and
denial of service attacks as well as clickjacking.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Experts say that NoScript, a security add-on to Firefox that blocks
JavaScript execution, is designed to defend against most attack
scenarios.
"punctuation-wrap: hanging; text-autospace: ideograph-numeric ideograph-other">
Hansen and Grossman said on Friday that they plan to release their
research and a proof-of-concept exploit but won't do so until Adobe
issues a patch.