Posted by: Ken Harthun
Browsers, Clickjacking, Cybercrime, Firefox, Internet Explorer, Phishing, Security, Vulnerabilities
According to US-CERT‘s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.
A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:
1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]
Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”
For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.
I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.