Vista - Clickjacking

I have found this article in my ZDNet newsletter - it is of concern as we are all too trusting!


Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?



According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.
According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.

I wish they wouldn't publish articles like this. Since there is no "fix", "patch" or "update" at this time it will just freak people out. Just stay away from the porn sites and don't click on any banners. The internet will never be 100% secure.

Yeah the bigger they make the issue the more people find out and maybe more "hackers" are willing to get in on this....

It does suck and I hope EE and FF fix this somehow. Has to be a fix its only code lol.

Who knows it may only be a threat to first time computer users, but then thats been true for a long time so maybe its nothing to worry about for intermediate/experienced users.

You are quite right of course the more experienced you are the less chance of doing something 'crazy', but then that is why there are forums such as Vista Forums - to help the experienced and inexperienced and to share that which might do harm as per the above article.

Its things like this that make me feel better about UAC preventing IE and FF from getting full permissions to the OS and thus preventing the entire PC from being compromised and instead only one application

Perhaps an article about this and what to do to prevent it might be an idea.

I don't really see how bad of a risk this could be... You can't get your computer infected by simply clicking on a link. Unless this Clickjacker can also make you click on the file it (possibly) downloads to your computer then there aren't really any issues.

Freelancer, read the following again -

'In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.'

And not everybody knows when they are visiting a malicious website anymore.

Swarfega,

The 64bit FF and IE7/8 dont have the same flaw