Latest Internet Security (NOT) heads up.
---------- Forwarded Message -----------
From: "V."
Subject: Clickjacking ... new cross-browser exploit; NoScript fix . . .
September 25th, 2008
Clickjacking: Researchers raise alert for scary new cross-browser
exploit
Posted by Ryan Naraine @ 7:50 am
[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible
mitigation ]
Researchers are beginning to raise an alarm for what looks like a scary
new browser exploit/threat affecting all the major desktop platforms
Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and
Adobe Flash.
The threat, called Clickjacking, was to be discussed at the OWASP NYC
AppSec 2008 Conference but, at the request of Adobe and other affected
vendors, the talk was nixed until a comprehensive fix is ready.
The two researchers behind the discovery Robert Hansen (left) and
Jeremiah Grossman have released droplets of information to highlight
the severity of this issue.
So, what exactly is Clickjacking?
According to someone who attended the semi-restricted OWASP
presentation, the issue is indeed zero-day, affects all the different
browsers and has nothing to do with JavaScript:
* In a nutshell, it*s when you visit a malicious website and the
attacker is able to take control of the links that your browser
visits. The problem affects all of the different browsers except
something like lynx. The issue has nothing to do with JavaScript so
turning JavaScript off in your browser will not help you. It*s a
fundamental flaw with the way your browser works and cannot be fixed
with a simple patch. With this exploit, once you*re on the
malicious web page, the bad guy can make you click on any link, any
button, or anything on the page without you even seeing it
happening.
[ SEE: Adobe Flash ads launching clipboard hijack attack ]
If that*s not scary enough, consider than the average end user would
have no idea what*s going on during a Clickjack attack.
* Ebay, for example, would be vulnerable to this since you could embed
javascript into the web page, although, javascript is not required
to exploit this. "It makes it easier in many ways, but you do not
need it." Use lynx to protect yourself and don*t do dynamic
anything. You can "sort of" fill out forms and things like that.
The exploit requires DHTML. Not letting yourself be framed
(framebusting code) will prevent cross-domain clickjacking, but an
attacker can still force you to click any links on their page. Each
click by the user equals a clickjacking click so something like a
flash game is perfect bait.
According to Hansen, the threat scenario was discussed with both
Microsoft and Mozilla and they concur independently that this is a tough
problem with no easy solution at the moment.
Grossman confirmed that the latest versions of Internet Explorer
(including version 8) and Firefox 3 are affected.
* In the meantime, the only fix is to disable browser scripting and
plugins. We realize this doesn*t give people much technical detail
to go on, but it*s the best we can do right now.
Ryan Naraine is a journalist and social media enthusiast specializing in
Internet and computer security issues. He is currently security
evangelist at Kaspersky Lab, an anti-malware company with operations
around the world.
See his full profile and disclosure of his industry affiliations. Send
tips, ideas and feedback to naraine SHIFT 2 gmail.com
For daily updates on Ryan's activities, follow him on Twitter.
http://blogs.zdnet.com/security/?p=1972
~~~
September 25th, 2008
Firefox + NoScript vs Clickjacking
Posted by Ryan Naraine @ 2:59 pm
In response to my story earlier on the cross-browser Clickjacking
exploit/threat, I received the following e-mail from Giorgio Maone,
creator of the popular Firefox NoScript plug-in:
Hi Ryan,
I*ve seen a lot of speculation and confusion in the comments to
your Clickjacking article about NoScript not being able to
mitigate [the issue].
I had access to detailed information about how this attack works
and I can tell you the following:
It*s really scary
NoScript in its default configuration can defeat most of the
possible attack scenarios (i.e. the most practical, effective
and dangerous) see this comment by Jeremiah Grossman himself.
For 100% protection by NoScript, you need to check the
"Plugins|Forbid <IFRAME>" option.
Cheers,
Giorgio
I also received private confirmation from a high-level source at an
affected vendor about the true severity of this issue. In a nutshell, I
was told that it*s indeed "very, freaking scary" and "near impossible"
to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept
exploits with speculation around clickjacking.
http://blogs.zdnet.com/security/?p=1973
~~~
NoScript
http://noscript.net/
~
As an Amazon Associate we earn from qualifying purchases.