[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

Consequences of Mild, Moderate & Severe Plagiarism

Plagiarism: 5 Potential Legal Consequences

When Philadelphia’s Foul-Mouthed Cop-Turned-Mayor Invented White Identity Politics

Trump Wanted to Pardon Assange and Snowden. Blocked by RINOs.

What The Pentagon Is Planning Against Trump Will Make Your Blood Run Cold Once Revealed

How Trump won the Amish vote in Pennsylvania

FEC Filings Show Kamala Harris Team Blew Funds On Hollywood Stars, Private Jets

Israel’s Third Lebanon War is underway: What you need to know

LEAK: First Behind-The-Scenes Photos Of Kamala After Getting DESTROYED By Trump | Guzzling Wine!🍷

Scott Ritter Says: Netanyahu's PAINFUL Stumble Pushes Tel Aviv Into Its WORST NIGHTMARE

These Are Trump's X-Men | Dr. Jordan B. Peterson

Houthis (Yemen) Breached THAAD. Israel Given a Dud Defense!!

Yuma County Arizona Doubles Its Outstanding Votes Overnight They're Stealing the Race from Kari Lake

Trump to withdraw U.S. troops from northern Syria

Trump and RFK created websites for the people to voice their opinion on people the government is hiring

Woke Georgia DA Deborah Gonzalez pummeled in re-election bid after refusing Laken Riley murder case

Trump has a choice: Obliterate Palestine or end the war

Rod Blagojevich: Kamala’s Corruption, & the Real Cause of the Democrat Party’s Spiral Into Insanity

Israel's Defense Shattered by Hezbollah's New Iranian Super Missiles | Prof. Mohammad Marandi

Trump Wins Arizona in Clean Sweep of Swing States in US Election

TikTok Harlots Pledge in Droves: No More Pussy For MAGA Fascists!

Colonel Douglas Macgregor:: Honoring Veteran's Day

Low-Wage Nations?

Trump to pull US out of Paris climate agreement NYT

Pixar And Disney Animator Bolhem Bouchiba Sentenced To 25 Years In Prison

Six C-17s, C-130s deploy US military assets to Northeastern Syria

SNL cast members unveil new "hot jacked" Trump character in MAGA-friendly cold open

Here's Why These Geopolitical And Financial Chokepoints Need Your Attention...

Former Army Chief Moshe Ya'alon Calls for Civil Disobedience to Protest Netanyahu Government

The Deep State against Trump


Science/Tech
See other Science/Tech Articles

Title: New clickjacking affects all browsers; cause remains unknown
Source: ArsTechnica
URL Source: http://arstechnica.com/news.ars/pos ... ers-cause-remains-unknown.html
Published: Sep 26, 2008
Author: Joel Hruska
Post Date: 2008-09-26 15:43:22 by a vast rightwing conspirator
Keywords: None
Views: 230
Comments: 10

New clickjacking affects all browsers; cause remains unknown
By Joel Hruska | Published: September 26, 2008 - 01:41PM CT

Jeremiah Grossman and Robert "Rsnake" Hansen initially planned to reveal details on a new browser-agnostic clickjacking exploit at the Open Web Application Security Project (OWASP) in New York City this week, but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product. The term "clickjacking" refers to a process by which a user is forced to click on a link without his or her knowledge—the link itself may be nearly invisible or visible for only a fraction of a second.

Clickjacking isn't a new attack vector, but according to Grossman and Hansen, it's one that is "severely underappreciated and largely undefended." What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx.

In this case, "whatever it is," actually is the only appropriate label for this new attack method; Grossman and Hansen have released virtually no information on how one would actually exploit the vulnerability. Grossman and his teammate appear to have held off publishing after Adobe requested they do so, rather than as a favor to the browser market. In his blog, Grossman writes: "At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against clickjacking was largely the browser vendors' responsibility."

Yeah, it's kinda like that Grossman and Hansen have, however, released a bit of information on what won't protect a user from the exploit. Turning Javascript off is apparently useless— the attack doesn't use it. Instead, it takes advantage of what the two call a "fundamental flaw" inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it's on a page the user is visiting.

As exploits go, this particular one seems a tempest in a teapot. The vulnerability in question may affect all web browsers, but the total dearth of publicly available data means anyone wanting to utilize it has their work cut out for them. Grossman states that this particular attack is capable of some "pretty spooky," things, but that's all the detail we get. I'm not a fan of security through obscurity, but that's not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw's existence. Hopefully they also received a bit more information than the public did.

Post Comment   Private Reply   Ignore Thread  


TopPage UpFull ThreadPage DownBottom/Latest

Begin Trace Mode for Comment # 10.

#1. To: All (#0)

I forgot to note on the headline: if you clicked on the link that opened this article, you are doomed! Doomed!! DOOMED!!!! DOOMED!!!!!

a vast rightwing conspirator  posted on  2008-09-26   15:44:55 ET  Reply   Untrace   Trace   Private Reply  


#9. To: a vast rightwing conspirator (#1) (Edited)

.

X-15  posted on  2008-09-26   18:08:16 ET  Reply   Untrace   Trace   Private Reply  


#10. To: X-15 (#9)

7, 4, 2 , WHAT?

Dakmar  posted on  2008-09-26   18:12:03 ET  Reply   Untrace   Trace   Private Reply  


Replies to Comment # 10.

        There are no replies to Comment # 10.


End Trace Mode for Comment # 10.

TopPage UpFull ThreadPage DownBottom/Latest


[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]