See other Science/Tech Articles
Title: New clickjacking affects all browsers; cause remains unknown
Source:
ArsTechnica
URL Source: http://arstechnica.com/news.ars/pos ... ers-cause-remains-unknown.html
Published: Sep 26, 2008
Author: Joel Hruska
Post Date: 2008-09-26 15:43:22 by a vast rightwing conspirator
Keywords: None
Views: 440
Comments: 10
New clickjacking affects all browsers; cause remains unknown Jeremiah Grossman and Robert "Rsnake" Hansen initially planned to reveal details on a new browser-agnostic clickjacking exploit at the Open Web Application Security Project (OWASP) in New York City this week, but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product. The term "clickjacking" refers to a process by which a user is forced to click on a link without his or her knowledge—the link itself may be nearly invisible or visible for only a fraction of a second. Clickjacking isn't a new attack vector, but according to Grossman and Hansen, it's one that is "severely underappreciated and largely undefended." What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx. In this case, "whatever it is," actually is the only appropriate label for this new attack method; Grossman and Hansen have released virtually no information on how one would actually exploit the vulnerability. Grossman and his teammate appear to have held off publishing after Adobe requested they do so, rather than as a favor to the browser market. In his blog, Grossman writes: "At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against clickjacking was largely the browser vendors' responsibility." Yeah, it's kinda like that Grossman and Hansen have, however, released a bit of information on what won't protect a user from the exploit. Turning Javascript off is apparently useless— the attack doesn't use it. Instead, it takes advantage of what the two call a "fundamental flaw" inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it's on a page the user is visiting. As exploits go, this particular one seems a tempest in a teapot. The vulnerability in question may affect all web browsers, but the total dearth of publicly available data means anyone wanting to utilize it has their work cut out for them. Grossman states that this particular attack is capable of some "pretty spooky," things, but that's all the detail we get. I'm not a fan of security through obscurity, but that's not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw's existence. Hopefully they also received a bit more information than the public did.
By Joel Hruska | Published: September 26, 2008 - 01:41PM CT
Post Comment Private Reply Ignore Thread
Top • Page Up • Full Thread • Page Down • Bottom/Latest
#1. To: All (#0)
I forgot to note on the headline: if you clicked on the link that opened this article, you are doomed! Doomed!! DOOMED!!!! DOOMED!!!!!
Antiparty - find out why, think about 'how'
Antiparty - find out why, think about 'how'
This article tells me nothing, except I may have some problem...
A nation of mullets, ruled by inbred, moronic traitors.
Searching for 'clickjacking' turns up lots of articles, but zero information, as Adobe is trying to 'fix' their vulnerabilities. The only Adobe product that is allowed to access the web here, is their Flash player, and I may rethink that decision.
A nation of mullets, ruled by inbred, moronic traitors.
It says: BE VERY AFRAID!!! And it says that SOMEONE is working on this so you keep the hope up because, JUST MAYBE, you won't die.
Antiparty - find out why, think about 'how'
And they write innumerable books; being too vain and distracted for silence: seeking every one after his own elevation, and dodging his emptiness. - T. S. Eliot
You need to incorporate more green, leafy matter into your diet.
And they write innumerable books; being too vain and distracted for silence: seeking every one after his own elevation, and dodging his emptiness. - T. S. Eliot
Found while searching for a substitute Flash player. A nation of mullets, ruled by inbred, moronic traitors.
.
7, 4, 2 , WHAT?
And they write innumerable books; being too vain and distracted for silence: seeking every one after his own elevation, and dodging his emptiness. - T. S. Eliot
#2. To: All (#0)
It's kinda like that
#3. To: a vast rightwing conspirator (#0)
I'm not a fan of security through obscurity, but that's not what anyone is advocating—Adobe has acknowledged the problem, and the dev teams on both Firefox and IE are undoubtedly aware of the flaw's existence. Hopefully they also received a bit more information than the public did.
#4. To: a vast rightwing conspirator (#2)
#5. To: lodwick (#3)
#6. To: a vast rightwing conspirator (#0)
#7. To: lodwick (#3)
This article tells me nothing, except I may have some problem...
#8. To: a vast rightwing conspirator. all (#5)
Check this out - chocolate, instead of flouride for our teeth -
#9. To: a vast rightwing conspirator (#1)
(Edited)
-Schweizerische Schuetzenzeitung (Swiss Shooting Federation) April, 1941
#10. To: X-15 (#9)
Top • Page Up • Full Thread • Page Down • Bottom/Latest