Alarm Raised For "Clickjacking" Browser Exploit

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

Re:One of these things is not like the other.

[Chysn]

> Now we're at a quandary. Your humble
> correspondent is at a loss to even speculate as
> to the nature of a technology that Ffirstly isn't
> Javashit, but which can conceivably be invoked by
> web content regardless of which web browser is in
> use, but lastly can be secured against by
> disabling hated plug-ins.

It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.

At least nothing obvious. I suppose I could have been rootkitted.

Re:Summary wrong

[jesser]

FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.

I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.