New Clipjacking affects all browsers

Jeremiah Grossman and Robert “Rsnake” Hansen initially planned to reveal details on a new browser-agnostic clickjacking exploit at the Open Web Application Security Project (OWASP) in New York City this week, but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product. The term “clickjacking” refers to a process by which a user is forced to click on a link without his or her knowledge—the link itself may be nearly invisible or visible for only a fraction of a second.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.” What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx.

In this case, “whatever it is,” actually is the only appropriate label for this new attack method; Grossman and Hansen have released virtually no information on how one would actually exploit the vulnerability. Grossman and his teammate appear to have held off publishing after Adobe requested they do so, rather than as a favor to the browser market. In his blog, Grossman writes: “At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against clickjacking was largely the browser vendors’ responsibility.”

Grossman and Hansen have, however, released a bit of information on what won’t protect a user from the exploit. Turning Javascript off is apparently useless—the attack doesn’t use it. Instead, it takes advantage of what the two call a “fundamental flaw” inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it’s on a page the user is visiting.

As exploits go, this particular one seems a tempest in a teapot. The vulnerability in question may affect all web browsers, but the total dearth of publicly available data means anyone wanting to utilize it has their work cut out for them. Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail we get. I’m not a fan of security through obscurity, but that’s not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw’s existence. Hopefully they also received a bit more information than the public did.


~ by David Barnett on September 27, 2008.

3 Responses to “New Clipjacking affects all browsers”

  1. Do you mean clipjacking, or clickjacking? Your title and content disagree.

  2. Using one streamlined program makes sense. When you have your staff trained on the use of fire, quickest heat reduction can be achieved.
    But most chemicals have never been adequately tested
    for safety due toweaknesses in the federal law, they are
    responsible for. What is a jobs in doncaster Plan? In addition some can offer the services of a fire.

  3. Since it can happen any time, could potentially save your business.

    However, the method won’t be effective if you need to fight off any major disc failures and virus attacks. Just follow @antgoo You can even zip the Online Backup to fit your needs. A fault indicator is also present, along with the package, as well as applications such as MS Exchange. Few steps can be followed and the business so not have to make is physical thumb drive, external hard drives.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: