Alarm Raised For "Clickjacking" Browser Exploit

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

Turn to Lynx?

[TheDarkMaster]

Well, they can't steals clicks from a browser without clicks

Information

[asCii88]

You call this "information"? It's not even clear what the exploit is about.

Re:Information

[OriginalArlen]

There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.

Looking on the bright side, more browsers than nameservers auto-update themselves...

(Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.

Have a great day!

Re:Information

[AKAImBatman]

Sure. Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!

Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car. NOT FUNNY!

Better? :-P

Bullshit?

[sakdoctor]

I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
Won't be losing any sleep over this one.

Re:Bullshit?

[id]

Except you're wrong, but don't take my word for it (I run ha.ckers.org with RSnake), see what Adobe has to say.

http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html

-id

Seems like another buzzword

[robinsonne]

From reading TFA (I know, silly me) this seems to be pretty much fear-mongering with a fancy new buzzword. "Clickjacking" oooo scary!

Until some real technical details come up I'd say nothing to see here, move along.

One of these things is not like the other.

[Tackhead]

Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.

From TFA:

"The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."

One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.

Also from TFA:

"According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"

and

"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."

Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.

I was clickjacked

There was this slashdot article here.

Turns out some hacker clickjacked the link, replacing it with a useless link with no detail or value added. It is getting more and more common on slashdot.

viral browser market cleaning

[sarbrot]

ok - i read TFA, scanned all the links blogs, their trackbacks and comments and from what i've seen there is no real info on what this is. Thinking about it for 2 minutes I had this idea that this will be best chance ever to get rid of IE6. My hope is that all the browser vendors (including MS) have conspired that maybe 3 weeks of making scary "clickjacking" news and pushing them to the main media outlets will eventually raise awareness to let go of that horrible thing that's keeping the web from really evolving. finally a good excuse to disable your content for outdated browsers that aren't patched any more because the user might accidently the whole clickjack. But in the end - if the download links don't get clickjacked that is - MS will propably release some stupid patch that prevents IE6 from clickjacking alltogether and it will be 3 more years before IE6 leaves for good....

Scary?

[pyrr]

I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.

I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.

Re:FF 3.0.2 safe?

[erroneus]

That's not it because the description says that disabling Javascript will not help. The bug indicated by you says disabling Javascript will help.

Re:Summary wrong

[HTH+NE1]

Try the CSS pseudoclass :active to move things around, like make a facade image positioned to cover a real button disappear with display: none;.

Re:Summary wrong

[HTH+NE1]

Try the CSS pseudoclass :active

And here is an example.

Re:Go Lynx!

[lysergic.acid]

i wouldn't exactly call the ability to render images "frills." i can understand if this were 1990 and the web was still mostly text-based. but the idea of a hypertext network and hypertext documents is to go beyond what normal text documents/interfaces could provide.

lynx has its merits, but calling all standard browsers too complicated or excessive is stretching it a bit. if lynx were just a basic browser that didn't have plugins, tabs, adblock, RSS readers, bookmarks, search tools, etc. then you could claim that other browsers have too many frills.

but lynx is a text-only browser. that's like saying a radio is a TV without the frills. stripping out core features does not make something have a cleaner interface or mean that the removed features are unnecessary.

Re:Summary wrong

[White+Shade]

That's true, but the big problem is that the debit card money comes out of your account immediately.... even if you do get it all back, there is the possibility for this to happen:

1- you check your bank balance in the morning
2- you make a string of purchases, knowing that you're safe in your balance

hidden step 1.5 - someone illegitimately uses your bank card and zeros you out.
hidden step 3 - every purchase you made hits you for a $20-40 overdraft charge, which you may or may not get back, and even if you do get it back, it takes a finite amount of time, during which every other transaction that may not have posted yet ALSO hits you for overdraft, and you can't use your card, and have no money.

It's a really awkward and annoying situation to be in, for sure.