ss_blog_claim=a290fbfb2dabf576491bbfbeda3c15bc

Thursday, October 16, 2008

Beware of clickjacking

All browsers are vulnerable to clickjacking By Stuart J. Johnston

The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.

What's worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button - for example, to see the next page of an article - you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in.

"If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security," Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.

Disguised links lurk behind clickable buttons

In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.

They point out that even users who watch their systems like a hawk can be victimized.

"There's really no way to know if what you're looking at is real," Hansen told Windows Secrets.

In fact, Hansen and Grossman found so many new ways to attack your PC- and your Mac - that they categorize these threats as a "new class" of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.

Clickjacking isn't new. In fact, it dates back to at least 2002, Hansen said. What's new is the range of browser vulnerabilities that make clickjacking possible.

Hansen's blog posting describes the scope most clearly:

"There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites.


RSS Feed:

No comments:

 
ss_blog_claim=a290fbfb2dabf576491bbfbeda3c15bc