Click here to receive your FREE subscription to Campus Technology
News
Browser Makers Seek Clickjacking Fix
10/2/2008
What is clickjacking? Security pros are trying to make sense of a new bug found by researchers that apparently affects various Web browsers, including Microsoft's Internet Explorer.
The new threat, revealed late in September by SecTheory LLC CEO Robert Hansen and Jeremiah Grossman, WhiteHat's chief technology officer, is being called "clickjacking." According to these researchers, clickjacking happens when users are directed to malicious Web sites where hackers lay in wait to take control of a user's browser profile.
The clickjacking technique "gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," explained a warning on the homepage of the United States Computer Emergency Readiness Team, or CERT. "Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."
The vulnerability reportedly can affect multiple browsers and even Web applications, such as Adobe's Flash. Browsers at risk include Internet Explorer, Mozilla Firefox, Apple's Safari, Opera and Google's new Chrome browser, which altogether constitute more than 95 percent of browser market share, according to Aliso Viejo-Calif.-based Net Applications.
"It's pretty pervasive," said Ryan Naraine, an IT security analyst at U.K.-based Kaspersky Lab. "[The exploit] attacks a fundamental flaws in the way most browsers work, and cannot be fixed with a simple patch."
Moreover, a hacker doesn't need access to a trusted Web site to rollout a clickjack, the researchers say. It's not so much a Web site security issue; rather, it's something that browser vendors need to fix.
Hansen and Grossman were slated to expound on the threat and its implications at last week's OWASP NYC AppSec 2008 Conference. They postponed their conference talk on the vulnerability at the request of Adobe and other "affected vendors," which wanted to wait until a systemic workaround or hotfix could be applied.
Redmond, Apple and Google have yet to comment on the threat. However, Mozilla on Monday released updates to its Thunderbird v2.0.0.17 e-mail application and Firefox v3.0.3 Web browser in an effort to "address multiple vulnerabilities." The updates are designed to prevent hackers from executing "arbitrary code," stealing personal information, undertaking cross-site scripting and denial of service attacks as well as clickjacking.
Experts say that NoScript, a security add-on to Firefox that blocks JavaScript execution, is designed to defend against most attack scenarios.
Hansen and Grossman said on Friday that they plan to release their research and a proof-of-concept exploit but won't do so until Adobe issues a patch.
A Microsoft spokesperson released a statement about clickjacking by e-mail.
"Microsoft is investigating the new public claims of a possible vulnerability in Internet Browsers and is in dialog with the researcher(s)," the e-mail stated. "Microsoft is currently unaware of any attacks trying to use the claimed vulnerability or of customer impact and the company will take steps to determine how customers can protect themselves should they confirm the vulnerability."
If an action is necessary, Microsoft would release a security update through its monthly patch cycle or an "out-of-cycle update," the spokesperson added.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- UNLV Hospitality Students Learn on Micros Opera
The William F. Harrah College of Hotel Administration at the University of Nevada, Las Vegas (UNLV) has received a donation from Micros Systems that will allow the college's students to use its Opera hospitality software in classes.
- Cambridge Reduces Support Needs in Move to New Wireless System
The University of Cambridge is deploying Aruba Networks' wireless LAN equipment to replace a legacy network that had become unmanageable and a drain on resources. Since early 2008, about 100 Aruba AP-65 access points have been deployed, along with dual MMC-6000 Multi-Service Mobility Controllers.
- iKnow Social Learning Platform Expands Language Support
Cerego has released new content creation tools for its iKnow social learning platform, adding support for creating learning modules in any of 188 languages. The company has also expanded language support for the text-to-speech technology used in the iKnow platform.
- Smart Debuts Updated Whiteboard Lineup
Smart Technologies last week unveiled updates to its Smart Board 600i interactive whiteboard system. The new lineup includes both a standard 4:3 and a widescreen 16:10 model, each featuring new boom-mounted, short-throw projectors.
- SUNY's Binghamton Monitors Network with Lancope's StealthWatch
Binghamton University, part of the State University of New York (SUNY) system, is using StealthWatch from Lancope to help streamline network management, control, and security with visibility of network behavior. Binghamton has an IT network that spans 20,000 client endpoints and six geographic locations. After contending with worm propagation and other security threats that affected network performance, the university's network management team sought a way to increase visibility of network traffic and analyze network behavior for potential threats.
- Tufts Grants Rights for Mileage-Increasing Transportation Technology to Electric Truck
Tufts University has optioned rights to a technology that can recharge the batteries of any hybrid electric and electric-powered vehicle while it is driven. The Tufts-developed technology could increase by 20 percent to 70 percent the miles per gallon or total driving range performance of vehicles like the Honda Civic, Ford Escape, and Toyota Prius hybrids and the Tesla Motors and Phoenix Motorcars electric vehicles.
