Alarm Raised For "Clickjacking" Browser Exploit

← Back to Stories (view on slashdot.org)

Alarm Raised For "Clickjacking" Browser Exploit

Posted by timothy on Thursday September 25, 2008 @08:19AM

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

6 of 308 comments (clear)

Min score:

Reason:

Sort:

Information by asCii88 · 2008-09-25 08:24 · Score: 5, Insightful

You call this "information"? It's not even clear what the exploit is about.
1. Re:Information by OriginalArlen · 2008-09-25 09:04 · Score: 5, Insightful
  
  There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.
  Looking on the bright side, more browsers than nameservers auto-update themselves...
  (Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.
  Have a great day!
  
  --
  
  Everything I needed to know about life, I learnt from Blake's Seven
2. Re:Information by AKAImBatman · 2008-09-25 09:22 · Score: 5, Insightful
  
  Sure. Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!
  Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car. NOT FUNNY!
  Better? :-P
  
  --
  Javascript + Nintendo DSi = DSiCade
One of these things is not like the other. by Tackhead · 2008-09-25 08:34 · Score: 5, Insightful

Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.
Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.
From TFA:

"The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."
One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.
Also from TFA:

"According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"
and
"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."
Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.
Re:Bullshit? by id · 2008-09-25 08:40 · Score: 5, Insightful

Except you're wrong, but don't take my word for it (I run ha.ckers.org with RSnake), see what Adobe has to say.
http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html
-id
Re:Summary wrong by HTH+NE1 · 2008-09-25 09:01 · Score: 5, Insightful

Try the CSS pseudoclass :active

And here is an example.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?