Vista - Clickjacking

**echrada** · 09-25-2008

I have found this article in my ZDNet newsletter - it is of concern as we are all too trusting!

Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.
According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.

**KCMichaelB** · 09-25-2008

I wish they wouldn't publish articles like this. Since there is no "fix", "patch" or "update" at this time it will just freak people out. Just stay away from the porn sites and don't click on any banners. The internet will never be 100% secure.

**Adamd** · 09-25-2008

Yeah the bigger they make the issue the more people find out and maybe more "hackers" are willing to get in on this....

It does suck and I hope EE and FF fix this somehow. Has to be a fix its only code lol.

**swarfega** · 09-25-2008

Who knows it may only be a threat to first time computer users, but then thats been true for a long time so maybe its nothing to worry about for intermediate/experienced users.

**echrada** · 09-26-2008

You are quite right of course the more experienced you are the less chance of doing something 'crazy', but then that is why there are forums such as Vista Forums - to help the experienced and inexperienced and to share that which might do harm as per the above article.

**dmex** · 09-26-2008

Its things like this that make me feel better about UAC preventing IE and FF from getting full permissions to the OS and thus preventing the entire PC from being compromised and instead only one application

**swarfega** · 09-26-2008

Perhaps an article about this and what to do to prevent it might be an idea.

**Freelancer852** · 09-26-2008

I don't really see how bad of a risk this could be... You can't get your computer infected by simply clicking on a link. Unless this Clickjacker can also make you click on the file it (possibly) downloads to your computer then there aren't really any issues.

**echrada** · 09-26-2008

Freelancer, read the following again -

'In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.'

And not everybody knows when they are visiting a malicious website anymore.

**dmex** · 09-26-2008

Quote: Originally Posted by echrada

Freelancer, read the following again -

'In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.'

And not everybody knows when they are visiting a malicious website anymore.

Quote: Originally Posted by swarfega

Perhaps an article about this and what to do to prevent it might be an idea.

Swarfega,

The 64bit FF and IE7/8 dont have the same flaw

09-25-2008	#1 (permalink)
echrada Microsoft® Windows Vista™ Ultimate x64 SP2 Windows 7 7127 x64 869 posts	Clickjacking I have found this article in my ZDNet newsletter - it is of concern as we are all too trusting! Clickjacking: Researchers raise alert for scary new cross-browser exploit \| Zero Day \| ZDNet.com Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready. The two researchers behind the discovery — Robert Hansen and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue. So, what exactly is Clickjacking? According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript: In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. [ SEE: Adobe Flash ads launching clipboard hijack attack ] If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack. Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait. According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment. Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected. In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.
My System Specs

09-25-2008	#2 (permalink)
KCMichaelB Vista Home Premium 32bit 16 posts	Re: Clickjacking I wish they wouldn't publish articles like this. Since there is no "fix", "patch" or "update" at this time it will just freak people out. Just stay away from the porn sites and don't click on any banners. The internet will never be 100% secure.
My System Specs

09-25-2008	#3 (permalink)
Adamd Ultimate 64!!! 144 posts	Re: Clickjacking Yeah the bigger they make the issue the more people find out and maybe more "hackers" are willing to get in on this.... It does suck and I hope EE and FF fix this somehow. Has to be a fix its only code lol.
My System Specs

09-25-2008	#4 (permalink)
swarfega Windows 7 Professional 64-bit 403 posts	Re: Clickjacking Who knows it may only be a threat to first time computer users, but then thats been true for a long time so maybe its nothing to worry about for intermediate/experienced users.
My System Specs

09-26-2008	#5 (permalink)
echrada Microsoft® Windows Vista™ Ultimate x64 SP2 Windows 7 7127 x64 869 posts	Re: Clickjacking You are quite right of course the more experienced you are the less chance of doing something 'crazy', but then that is why there are forums such as Vista Forums - to help the experienced and inexperienced and to share that which might do harm as per the above article.
My System Specs

09-26-2008	#6 (permalink)
dmex Windows Vista™ Ultimate 2,631 posts	Re: Clickjacking Its things like this that make me feel better about UAC preventing IE and FF from getting full permissions to the OS and thus preventing the entire PC from being compromised and instead only one application
My System Specs

09-26-2008	#7 (permalink)
swarfega Windows 7 Professional 64-bit 403 posts	Re: Clickjacking Perhaps an article about this and what to do to prevent it might be an idea.
My System Specs

09-26-2008	#8 (permalink)
Freelancer852 Vista Ultimate w/SP1 (32-bit) and Windows 7 Build 7000 (64-bit) 220 posts	Re: Clickjacking I don't really see how bad of a risk this could be... You can't get your computer infected by simply clicking on a link. Unless this Clickjacker can also make you click on the file it (possibly) downloads to your computer then there aren't really any issues.
My System Specs

09-26-2008	#9 (permalink)
echrada Microsoft® Windows Vista™ Ultimate x64 SP2 Windows 7 7127 x64 869 posts	Re: Clickjacking Freelancer, read the following again - 'In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.' And not everybody knows when they are visiting a malicious website anymore. Last edited by echrada; 09-26-2008 at 06:12 AM.. Reason: extra info
My System Specs

09-26-2008	#10 (permalink)
dmex Windows Vista™ Ultimate 2,631 posts	Re: Clickjacking Quote: Originally Posted by echrada Freelancer, read the following again - 'In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.' And not everybody knows when they are visiting a malicious website anymore. Quote: Originally Posted by swarfega Perhaps an article about this and what to do to prevent it might be an idea. Swarfega, The 64bit FF and IE7/8 dont have the same flaw
My System Specs

Similar Threads
Thread	Forum
New 'Clickjacking' Threat Could Compromise Your Webcam	Vista News