Forum latest

Clickjacking Defense Will Require Browser Overhaul
General
Written by Daniel   
Thursday, 02 October 2008 10:58

 The researchers who discovered the new clickjacking attack say fixes won't likely be coming soon

OCTOBER 1, 2008 | 4:40 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading

If you’re looking for a quick fix to protect your users from the new major “clickjacking” Web threat, it’s either disable all JavaScript, ActiveX, plugins, and iFrames, or revert back to an old-school text-based browser (think Linx). In other words, forget graphics or Web 2.0.

A no-GUI browser obviously isn’t realistic, but even disabling the cool features of the Web won’t guarantee protection from this invisible and potentially lethal Web-borne attack, according to Jeremiah Grossman and Robert (RSnake) Hansen, the researchers who discovered it. “There’s no way to avoid it,” says Grossman, CTO of WhiteHat Security . “It’s going to happen… that’s the problem with it.”



Grossman says he plans to finally go public with the details of this new form of clickjacking later this month at the Hack In The Box conference in Kuala Lumpur, Malaysia -- he and Hansen agreed to hold off on disclosing their new findings at last month’s OWASP USA security conference after Adobe requested time to patch an application found to be affected by the attack. (See Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)

The clickjacking concept is nothing new, but the threat that Grossman and Hansen discovered is. It spans multiple browser families and doesn’t even require that a user click on anything. Just loading a compromised page sets off the attack, and clicking on that page will likely make things worse for the victim, they say. “And whether JavaScript is on or off, it will affect you,” he says.

The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say.

Clickjacking is both a Web and a browser problem, but the fixes likely need to come from the browser vendors. But Hansen, founder of SecTheory LLC, says it’s not a single line of code-type fix -- it goes to the way browsers work.

“A true fix would likely require a complete rearchitecting of the browser,” Grossman says. “Those things don't happen quickly -- or maybe ever.”

The researchers have written “generic exploit code” of the attack, which Grossman will demonstrate via a video at Hack in the Box.

Paul Henry, lead forensic investigator for Forensics & Recovery LLC, says clickjacking and other Web threats are not just browser issues -- users aren’t installing the latest browser versions and patches. “We do not necessarily have a browser issue here -- we first and foremost have a browser and plugin patch management issue,” Henry says. “Patch our browsers and associated plugins, and you will dramatically impact Web-borne malware.”

Henry says Firefox 3.03 with a plugin called NoScript "absolutely rocks and is my browser of choice."

NoScript is a Firefox plugin that, among other things performs whitelisting of trusted sites, letting them run JavaScript and plugin content, but can also ban plugins and IFRAMEs on trusted sites as needed, says Giorgio Maone, a security expert who wrote NoScript. It basically lets the user click to enable these features on trusted sites and then “learns” those choices so that it does so automatically.   [DarkReading...]  [Comments...]
 

See also

None found.


Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either