Custom Search

Search My Download Corner

Tuesday, October 21, 2008

Clickjacking-The latest Internet threat cloaks Web links

Clickjacking allows an attacker to literally steal your mouse clicks when clicking on a simple button to see the next page of an article. This may actually triggered in doing something entirely different, such as log on to your online checking account. A wayward click can download malware to your PC without your knowledge. To make it worse all browsers and other Web software are susceptible to clickjacking. criminals can hijack your system by intercepting clicks of what appear to be legitimate links by working on vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers including but not limited to popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in.

In clickjacking surreptitiouslinks lurk behind clickable buttons. Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security describes the scope most clearly in his blog posting :

"There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

Adobe's Flash player are also exploited by hacker who can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Attacks may also be launched via iFrames by using cross-site scripting techniques. Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.

Securing your browser in a clickjacking world?

Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe.

* Adobe: The Flash vendor has issued a patched version that will help keep you safe from Flash-based attacks. See the company's download page. Previously, the company had posted a security advisory containing a workaround.

* Mozilla Foundation: Install Giorgio Maone's open-source NoScript plug-in to block execution of JavaScript except for sites you approve. NoScript is free, though the vendor requests a donation. The add-on lets Firefox users designate the sites on which scripts are allowed to run and blocks JavaScript on all other sites.

* Microsoft: To date, the company has taken a noncommittal stance in regard to the clickjacking threat. Microsoft responds to questions by referring users to the company's Security Support page.

* U.S. Computer Emergency Readiness Team (US-CERT): The agency provides a document that describes how to protect IE, Firefox, Safari, and other browsers from a range of attacks.

No system is 100% immune to the new threat, so be conservative in visiting untrustworthy sites until the applications you use are made more secure. Since most malware attacks occur on adult sites, keep your browsing rated PG-13. Also on sites that offer game-cracking software. Always think twice before you click even on sites where you could reasonably expect to be safe from such attacks.

To repeat the precautions (1) use the Firefox browser with Giorgio Maone's NoScript script-blocking add-on installed (donation requested) and allow only trusted sites to run scripts, (2) update to the latest version of Adobe's Flash Player, and (3) stay away from questionable sites.(4)use the Firefox browser with WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 20 million websites - green to go, yellow for caution and red to stop – helping you avoid the dangerous sites. Surf safer and add WOT to your Firefox.

Also See : Sandboxie front line browsing defence

Recast VIA Stuart J. Johnston on "All browsers are vulnerable to clickjacking "

View blog reactions


Post a Comment