Tuesday, September 30, 2008

Browser-Makers Seek Clickjacking Fix

What is clickjacking? Security pros are trying to make sense of a new bug found by researchers that apparently affects various Web browsers, including Microsoft's Internet Explorer.

The new threat, revealed late last week by SecTheory LLC CEO Robert Hansen and Jeremiah Grossman, WhiteHat's chief technology officer, is being called "clickjacking." According to these researchers, clickjacking happens when users are directed to malicious Web sites where hackers lay in wait to take control of a user's browser profile.

The clickjacking technique "gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," explained a warning on the homepage of the United States Computer Emergency Readiness Team, or CERT. "Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."

The vulnerability reportedly can affect multiple browsers and even Web applications, such as Adobe's Flash. Browsers at risk include Internet Explorer, Mozilla Firefox, Apple's Safari, Opera and Google's new Chrome browser, which altogether constitute more than 95 percent of browser market share, according to Aliso Viejo-Calif.-based Net Applications.

"It's pretty pervasive," said Ryan Naraine, an IT security analyst at U.K.-based Kaspersky Lab. "[The exploit] attacks a fundamental flaws in the way most browsers work, and cannot be fixed with a simple patch."

Moreover, a hacker doesn't need access to a trusted Web site to rollout a clickjack, the researchers say. It's not so much a Web site security issue; rather, it's something that browser vendors need to fix.

Hansen and Grossman were slated to expound on the threat and its implications at last week's OWASP NYC AppSec 2008 Conference. They postponed their conference talk on the vulnerability at the request of Adobe and other "affected vendors," which wanted to wait until a systemic workaround or hotfix could be applied.

Redmond, Apple and Google have yet to comment on the threat. However, Mozilla on Monday released updates to its Thunderbird v2.0.0.17 e-mail application and Firefox v3.0.3 Web browser in an effort to "address multiple vulnerabilities." The updates are designed to prevent hackers from executing "arbitrary code," stealing personal information, undertaking cross-site scripting and denial of service attacks as well as clickjacking.

Experts say that NoScript, a security add-on to Firefox that blocks JavaScript execution, is designed to defend against most attack scenarios.

Hansen and Grossman said on Friday that they plan to release their research and a proof-of-concept exploit but won't do so until Adobe issues a patch.

Privacy Uncertain With New IE8 Feature
IE Share Continues Decline but How Far Will It Go?
Peter Facinelli Compares ‘Twilight’ Patriarch Carlisle Cullen To His Breakthrough Role In ‘Can’t Hardly Wait’