Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixes Released (and More Promised) For "Clickjacking" Exploits

Posted by timothy on from the no-death-penalty-for-online-jerks dept.

An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."

70 comments

  1. Has... by Anonymous Coward · · Score: 0

    Anyone actually seen a POC of clickjacking? I know I haven't...

    1. Re:Has... by snl2587 · · Score: 3, Interesting

      Well, an example is the "Get Add-on" link on the NoScript website: clicking it causes an iframed link from Mozilla's add-on page to be "clicked" instead.

      Clickjacking's new in terminology only.

    2. Re:Has... by Anonymous Coward · · Score: 2, Insightful

      But that's the user clicking on a visible item, simply embedded in the page. It's misleading, sure! But it's not the same as having a user click anywhere and it hitting an invisible item that does something completely unrelated to whatever's displayed.

    3. Re:Has... by Anonymous Coward · · Score: 4, Funny

      I was describing this article to my boss, and here is what he said to me verbatim. My Emp. added.

      So, should I be afraid of my web browser clickjacking me off of my normally visited websites to some spyware?

    4. Re:Has... by Mashiki · · Score: 2, Informative

      Anyone actually seen a POC of clickjacking? I know I haven't...

      Yes. I've run across it on GCW, MSNBC and Wowhead through 3rdparty advertisers. It's already in the wild, the only thing that stopped it was noscript.

      --
      Om, nomnomnom...
    5. Re:Has... by Mashiki · · Score: 4, Informative

      Just because I had to hunt for the image:
      http://bay01.imagebay.com/bay.php?view=61388_poshijack.jpg

      --
      Om, nomnomnom...
    6. Re:Has... by plover · · Score: 1

      Well, there's a POC linked in TFA. I tried it. It looked like it was going to work but NoScript warned me about it. Pretty cool.

      NoScript is my friend.

      --
      John
    7. Re:Has... by Ortega-Starfire · · Score: 1

      Click the proof-of-concept link in the article summary.

      --
      ---- Liquid was a patriot ----
    8. Re:Has... by Anonymous Coward · · Score: 0

      Except it's not an iframe?

      <div id="amo-install">
      <a class="install-button" href="https://addons.mozilla.org/en-US/firefox/addon/722/#install-55211" target="_blank" rel="external nofollow"
      title="Install NoScript, it's free"
        ><span class="download">install now!</span></a>
      </div>

    9. Re:Has... by Koiu+Lpoi · · Score: 1

      Except it doesn't at all. Mouse over the link and you can clearly see in your status bar that it goes to Mozilla's site. Clickjacking my ass.

    10. Re:Has... by snl2587 · · Score: 1

      Pleaseread.

    11. Re:Has... by snl2587 · · Score: 1

      Nice job looking at the page source, but you've really got to look at the javascript.

      Note this bit (this is only a part; see the source for the rest):
      document.getElementById("amo-install").innerHTML +=
      '<iframe id="amo-installer" width="1" height="1" style="visibility: hidden; filter: alpha(opacity=0)" scrolling="no"></iframe>';

      Yep. Looks like this is exactly what I was talking about.

    12. Re:Has... by Koiu+Lpoi · · Score: 1

      Except that it doesn't come up with that box at all, and I'm running the latest version of NoScript. Looks like they fixed it.

    13. Re:Has... by snl2587 · · Score: 1

      No, the noscript site is on your whitelist by default (along with googlesyndication.com so the developer can collect ad revenue off his site). The demo on his blog was an example of what would happen if you removed noscript.net from your whitelist and went to his site with the blocker enabled.

  2. Original fix by MaxwellEdison · · Score: 2, Funny

    I've solved this problem by removing my mouse from the computer. Now I never click anything malicious! Or anything at all... Its all wonderfully frustrating.

    --
    -=Bang Bang=-
    1. Re:Original fix by Anonymous Coward · · Score: 0

      tab tab tab tab tab tab SHIT! shift+tab enter

    2. Re:Original fix by Anonymous Coward · · Score: 0

      lmao I guess eventually then you'll remove everything but the power cord and just stare at that all day to be totally safe. haha

  3. This stuff is why... by DigitalSorceress · · Score: 0, Offtopic

    This stuff is why I use NoScript and haven't even installed the Flash plugin addon to Firefox. If I REALLY want to view something in flash and I trust the content provider, I'll fire up IETab.

    Not perfect, but a far sight safer than Joe Q. User.

    --

    The Digital Sorceress
    1. Re:This stuff is why... by plover · · Score: 2, Interesting

      I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.

      --
      John
    2. Re:This stuff is why... by thenewguy001 · · Score: 1

      Why not just use flashblock for firefox instead of firing up IE? You can enable/disable individual flash objects on the fly with flashblock.

      In IE you have to let everything load, which is less secure. If the page is full of flash adverts it'll also consume more CPU cycles.

    3. Re:This stuff is why... by id · · Score: 1

      That would be great if flashblock itself wasn't susceptible to clickjacking...

  4. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  5. Oh great... by davidbrit2 · · Score: 1

    Like I need yet another NoScript update this week.

    1. Re:Oh great... by Ant+P. · · Score: 1

      Normally I wouldn't mind being told to update every 24 hours, but the way NoScript does it is completely fucking retarded.
      What's the use of Firefox having a "show more information" button in the addon manager when all it displays is an URL to an ad-filled page with a 2 line changelog? And to rub it in, the info box isn't a real textarea so you can't just copy and paste the link.

    2. Re:Oh great... by Anonymous Coward · · Score: 0

      You don't HAVE to update to (or, even USE) NoScript @ all really, as an alternate method of protecting yourself (which is pretty good in many ways)... Opera is a browser that comes with a native feature for this via its menus in TOOLS, or rightclick on page SITE PREFENCES options popup menu.

      Alternately? You can just run w/ IFrames, JavaScript, & Plugins disabled (Adobe Flash, specifically (which I was right about in it being the faulty app involved here also)) ->

      Alarm Raised For "Clickjacking" Browser Exploit:

      http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835

      (2++ or so weeks ago when this surfaced as news here)

      & that'll do the job also.

      APK

      P.S.=> This is why I've been warning folks about the faulty DOM (why javascript's risky really, mostly) for years now, & more recently in a security guide I wrote that states that basic protective method (i.e.-> "If you don't go into the scripting/iframes/plugins kitchen, you can't get burned"), in the news link URL above, which was from this site from 2-3 weeks back, regarding this "clickjacking" stuff...

      &, it just works - simple, effective, & even allows gains in page rendering speeds as a bonus.

      That is, IF you can "obey some rules online/use some constraints" etc. et al ...

      After all - Nearly all the attacks today come from some form of abuse of javascript/iframes/plugins for webbrowsers the past 3-4 yrs. now it seems, & just going to SECUNIA.COM &/or SECURITYFOCUS.COM can show anybody this much... & to myself @ least? This makes utilizing javascript/iframes/plugins, wholesale online on every site you visit... well, risky!

      (imo & this type of news this article denotes, really only seconds my approach as an effective defense method, for me (& I only use javascript/activex/plugins/iframes on sites that DEMAND I do so, for FULL functionality, minimizing the risk, & as a bonus, you also process webpages faster by not using scripting & plugins too))... apk

  6. Re:"Fixes" released? by Anonymous Coward · · Score: 0

    It seems to me that ACORN just hired a bunch of low lifes who made a lot of fraudulent voter registration cards to make it look like they were doing work. It also seems like a set up to me. If election fraud does occur it'll be nice to have a patsy to blame it on.

    The real way this election will be rigged is by the electronic voting machines, especially the ones that tabulate the vote at a central location and have no paper trail. It is even easy to manipulate the scantron election results.

    This ACORN business is misdirection.

  7. Why does flash by British · · Score: 1

    ..even have a facility for the webcam and mic anyways?

    1. Re:Why does flash by Anonymous Coward · · Score: 1, Informative

      People use it here for American Sign Language work. They sign into the webpage, it turns on the cam, they sign it up, and it's stored on the server for their instructor or collaborator to view/grade/whatever.

    2. Re:Why does flash by marxmarv · · Score: 1

      Because all technological advancement is driven by adult media?

      --
      /. -- the Free Republic of technology.
    3. Re:Why does flash by lysergic.acid · · Score: 1

      my friend used it in his interactive media class to simulate the vision of dogs. you run the flash application and it filters the cam feed to only display the visual spectrum dogs are capable of seeing.

      i don't think there's anything inherently wrong with giving flash access to webcam/mic. it creates opportunities for a lot of useful web apps. however, i do think that flash browser plugins need to warn users and have them confirm that they actually want to turn on their webcam/mic.

  8. Simple solution: by Anonymous Coward · · Score: 0

    Turn off JavaScript, Java, Flash, and other plugins on the browser you use for web searches and general goofing around on the web. Use a different browser for trusted sites for serious uses, i.e. for banking.

    1. Re:Simple solution: by plover · · Score: 2, Funny
      Let me get this straight: You recommend:

      i.e. for banking.

      and you expect us to trust you with security advice? Please!

      --
      John
    2. Re:Simple solution: by FLEB · · Score: 1

      While the "different browser" idea would work, turning off JS would be marginal to harmful. This is a straight HTML/CSS exploit, and, actually, turning off JS could stop preventive framebusting scripts from running.

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
    3. Re:Simple solution: by metamatic · · Score: 1

      See, this is why I think NoScript and CookieSafe (CS Lite) should be standard functionality in Firefox. In fact, they already have the functionality, they just need the friendly UI so normal people can actually use it.

      But Mozilla won't do it, because it would piss off the advertisers who use JavaScript and cookies to surreptitiously track people. They might be an open source project, but they don't have the users' best interests at heart.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    4. Re:Simple solution: by JCSoRocks · · Score: 1

      Re: IE for banking - I know some banking sites weren't compatible with FF for a loooong time. I'm still not sure if BofA's site is. It can be frustrating.

      --
      You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
    5. Re:Simple solution: by Anonymous Coward · · Score: 0

      "Turn off JavaScript, Java, Flash, and other plugins on the browser you use for web searches and general goofing around on the web." - by Anonymous Coward on Thursday October 09, @05:33PM (#25320885)

      That's not going to stop you from being infected. You're only changing the browser used to infect yourself with what you suggest! OS used? Doesn't matter either... the DOM is the same, & since javascript/iframes/plugins run on Linux & other OS'? They're no safer, period. They're less exploited, because from the POV of a botmaster, you go after the MOST USED OS THERE IS, & that is Windows (for the greatest 'surface area to attack', that also generally overall has less "technically inclined users", where *NIX generally has "pure techno geeks", mostly).

      "Use a different browser for trusted sites for serious uses" - by Anonymous Coward on Thursday October 09, @05:33PM (#25320885)

      Again, same deal as my previous reply to what I quoted from you - you're only changing the browser that infects you via this attack (&, NONE OF THEM ARE SAFE vs. it, unless you take some measures yourself, via what I wrote below here, weeks ago, when this first surface (& I was correct on no less)):

      ----

      Alarm Raised For "Clickjacking" Browser Exploit:

      http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835

      ----

      I "got lucky", there, & had guessed EXACTLY what plugin was affected back then (ADOBE FLASH), & for about a year now, on various technical forums online (27 in total) I suggested TURNING OFF JAVASCRIPT/IFRAMES/PLUGINS usage for users, to stay safe online vs. these types of attacks, & yes, MANY others also!

      (I.E.-> DON'T USE JAVASCRIPT/PLUGINS/IFRAMES on "every site under the sun you go to"(& instead ONLY LEAVE IT ACTIVE FOR SITES THAT DEMAND THEIR USAGE (such as online banking &/or shopping sites often require for data access)... all other sites? Heck, turn it off... be safe(r) by far & FASTER AS WELL (due to not processing adbanners &/or webpage script tags code either))

      APK

      P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now (see points after #12th posting in regards to this statement of mine here & there below also):

      HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

      http://www.tcmagazine.com/forums/index.php?s=73ccc6e6bcaa3f449c71fc76a0e40212&showtopic=2662

      AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities? Common-sense usually does work)... apk

  9. The jokes on you, hackers! by Gizzmonic · · Score: 2, Funny

    Not only am I an exhibitionist, I'm also unbelievably ugly! You won't be 'clickjacking' to my warped, drooling countenance!

    --
    (-1, Raw and Uncut is the only way to read)
    1. Re:The jokes on you, hackers! by Anonymous Coward · · Score: 1, Funny

      Goddamnit, mom! I thought I told you not to post on the same websites as me? And don't think I haven't seen you on adultfriendfinder either.

    2. Re:The jokes on you, hackers! by kayditty · · Score: 0

      it isn't. it's a literary device.

  10. I can fix this! by Anonymous Coward · · Score: 0

    I'll just fire up my webcam, stand in front of it naked and commence clicking on said sites.

    Surely, after that, once (if) the hackers regain their sight, they will surely be afraid to ever try that again

  11. Interview with Clickjacking Author by webappsec · · Score: 1


    http://www.cgisecurity.org/2008/10/interview-jerem.html

  12. I am confused by RockMFR · · Score: 1

    I was under the impression that Flash runs with full privileges and can basically do anything if you have the plugin installed. Is this not the case?

    1. Re:I am confused by argent · · Score: 1

      The plugin runs with full privileges.

      The scripts (in Actionscript, a version of ECMAscript (nee Javascript)) run in a sandbox.

  13. NoScript by HTH+NE1 · · Score: 4, Interesting

    Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    1. Re:NoScript by kesuki · · Score: 3, Informative

      apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005

      'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.

      being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.

      on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.

      --
      https://www.gnu.org/philosophy/free-sw.html
    2. Re:NoScript by Anonymous Coward · · Score: 0

      The latest versions have "Allow all this page" and "Temporarily allow all this page" options, may be it suits your requirement

    3. Re:NoScript by kesuki · · Score: 1

      they work globally across all tabs though. what if i want doubleclick okayed on one tab, but not another? it's one thing to 'have to' allow one one website in one tab to play a free online game, and quite another to make every news site i'm surfing suddenly show ads, because of one site.

      --
      https://www.gnu.org/philosophy/free-sw.html
  14. Re:Help by Loopy · · Score: 1

    It's a .0 release. Haven't you learned anything from all the linux threads here?

  15. Re:Help by Anonymous Coward · · Score: 0

    sux0r 2.0 - it sux0rs up all the web [sux0r.org]

    Mildly intrigued by your signature I decided to click on it:

    In many a drunken rant alone in front of a terminal, I dropped buzzwords like "distributed blogging", "content refactoring" and "harnessing the power of selfishness" which quite frankly sounds a lot like me talking out of my ass.

    Your mother must be so proud

  16. Are they saying this end-of-the-internet threat... by Ungrounded+Lightning · · Score: 2, Insightful

    Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  17. Flash and microphones and webcams, oh my. by argent · · Score: 2, Interesting

    It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.

    Yes, I understand the point of it, I just think it's creepy.

    1. Re:Flash and microphones and webcams, oh my. by cerberusss · · Score: 3, Funny

      It's always kind of creeped me out that Flash even gives applets access to the microphone

      Definitely creepy. One time I visited a page with a Flash-based advertisement from (apparently) a French company. When my mouse cursor inadvertently moved over the Flash applet, some kind of contact was made with the company. This French guy was screaming into his microphone "'ello?? 'ELLOO??". And he obviously saw through my cam because he continued: "Bonjour, sire! Whas arr yous eatingue?" just when I was shoving a sandwhich in my pie-hole.

      --
      8 of 13 people found this answer helpful. Did you?
  18. Re:Are they saying this end-of-the-internet threat by mr_mischief · · Score: 3, Informative

    Any form of invisible link, invisible button, link or button in an iframe, getURL() call in Flash, or JavaScript handler for any normally non-clickable item that makes you go somewhere, yeah.

  19. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  20. Help! I'm trapped in a chinese nudist camp. by Anonymous Coward · · Score: 0

    Years of Goatse abuse has rendered most of slashdot blind, and sterile.

  21. How is this new? by Anonymous Coward · · Score: 0

    So why is this "exploit" so "new and dangerous"?

    I mean, does not every damn news site (with the exception of the great Slashdot) have that annoying "first time you click, we pop up an ad" thing going on? Doesn't matter if you click on whitespace, text (like to highlight it), or whatever.. first click = ad.

    That was already 'clicking causing an undesired link'. This is hardly new. Boo on the finders of this 'major bug', spammers and marketing majors beat you to it by at least a year, and that's embarrassing.

    1. Re:How is this new? by FLEB · · Score: 2, Insightful

      This attack makes it possible for third parties to trick you into performing actions on third-party sites, by overlaying them invisibly on something you think you want to click. An attacker could overlay a seemingly innocuous game, for instance, with an administrative panel from a common website. The settings panel would be invisible (zero or low alpha), but still would receive mouse clicks. When the "game" asks you to click two seemingly random points, you're actually clicking the "Delete my account" checkbox and "Continue" button, for instance.

      Off the top of my head, it's not a world-ender, just another problem like XSS or XSRF to be vigilant against. Possible solutions (from the top of my head) would be for sensitive form pages to have a framebusting script (although this doesn't help if JS is off), and require a password or CAPTCHA (a password could be phished around, but a CAPTCHA could work, since the fake site still has no actual way to read or write the legit site).

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
    2. Re:How is this new? by FLEB · · Score: 2, Insightful

      When the "game" asks you to click two seemingly random points,

      s/random/arbitrary/

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
  22. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  23. Restricting iframes by StoatBringer · · Score: 1

    In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? So if your page has a form which could potentially be abused, add the tag and browsers which recognise it will only show the page in it's entirety, and not as part of another page or from another domain?

    I realise that this may well be far too simplistic and people will probably point out a dozen reasons why it won't work and would break all sorts of things. :)

    --
    Cress, cress, lovely lovely cress
    1. Re:Restricting iframes by Anonymous Coward · · Score: 0

      "In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? " - by StoatBringer (552938) on Friday October 10, @05:11AM (#25325537)

      Opera has this, built in... & has, for years now, mind you + selectively, on a user-driven, site-by-site basis.

      (A native method that's flexible, powerful, & easy to do, & sounds like what it is you are after, imo (based on your description (& my interpretation of it))... easily, via Opera's native security featureset!)

      APK

  24. NoScript Mandatory by Anonymous Coward · · Score: 0

    I can't imagine browsing without NoScript. Firefox has no competition on the computers I own and those I manage not because it's good or better than the others, but because NoScript runs on it.

  25. Re:"Fixes" released? by Anonymous Coward · · Score: 0

    At least ACORN isn't paying off it's goons in crack this election. Well, we haven't caught them doing it this time anyways. But ACORN has a long track record of fraud. Not much new there.

  26. With noscript installed... by Mopar93 · · Score: 0

    ...Slashdot pages come up much faster now!

    --
    FixingTheWeb.com Helping to keep the bad guys out...
  27. Re:Are they saying this end-of-the-internet threat by JCSoRocks · · Score: 1

    Yeah, which is lame because I've been using those for years. They're actually really handy in certain situations. ...And that's for legitimate web app work, not spamtastic garbage. In fact if the changes they make are sweeping enough it may break some of my old code... yay.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
  28. Other methods that work by Anonymous Coward · · Score: 0

    "That would be great if flashblock itself wasn't susceptible to clickjacking." - by id (11164) on Thursday October 09, @08:15PM (#25322671) Homepage

    Which is a reason why I had suggested other methods vs. the possibility you noted, here on this website a couple weeks back when this surfaced:

    Alarm Raised For "Clickjacking" Browser Exploit:

    http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835

    & that'll do the job also.

    APK

    P.S.=> This is why I've been warning folks about the faulty DOM (why javascript's risky really, mostly) for years now, & more recently in a security guide I wrote that states that basic protective method (i.e.-> "If you don't go into the scripting/iframes/plugins kitchen, you can't get burned"), in the news link URL above...&, it just works - simple, effective, & even allows gains in page rendering speeds as a bonus. Less risk as well, IF a plugin is faulty vs. a certain style of attack also!

    That is, IF you can "obey some rules online/use some constraints" etc. et al ...

    After all - Nearly all the attacks today come from some form of abuse of javascript/iframes/plugins for webbrowsers the past 3-4 yrs. now it seems, & just going to SECUNIA.COM &/or SECURITYFOCUS.COM can show anybody this much... & to myself @ least? This makes utilizing javascript/iframes/plugins, wholesale online on every site you visit... well, risky!

    (imo & this type of news this article denotes, really only seconds my approach as an effective defense method, for me (& I only use javascript/activex/plugins/iframes on sites that DEMAND I do so, for FULL functionality, minimizing the risk, & as a bonus, you also process webpages faster by not using scripting & plugins too))... apk

  29. GUESS AGAIN on javascript (& more)... apk by Anonymous Coward · · Score: 0

    http://www.securityfocus.com/news/11534/2

    SALIENT QUOTE:

    ----

    "JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer"

    ----

    Also, just taking a look around @ sites like securityfocus.com &/or secunia.com will show you, easily mind you, that the majority of attacks out there today online? Javascript/Iframes/plugins driven... & for the past 3-4 yrs. or more, no less.

    Turning off Javascript/IFrames/Plugins keeps you safe(r) vs. THIS attack, & countless others (that aren't only on 'bad site pages' but, even in adbanners the past few years now as well).

    APK

    P.S.=> I had it right here, 2 weeks ago, in regards to the EXACT PLUGIN (Adobe Flash) USED, first off... when news of this FIRST surfaced:

    Alarm Raised For "Clickjacking" Browser Exploit:

    http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835

    & Secondly?

    Well - for more than a year now (& for years beforehand no less), I had been advising folks on 1 of the link URL's I posted there in that URL above (over 27 computer tech forums worldwide) to turn off javascript/iframes/plugins on sites you do NOT "need" to have them running on, for FULL functionality - this way, you stay safe(r) by far...

    (Leave javascript on, for instance, for sites that require data access on say, online banking &/or shopping-commerce websites - BUT, THESE ONLY (to minimize the attack surface upon YOUR system, basically))...

    That way, you're safe, regardless of the browser used (OR, even the OS used, since Javascript's DOM is the same & it is present even on *NIX variants - the only reason Windows is SO often targetted is twofold, imo - First, it has the majority of users (mostly less technically inclined than say, *NIX heads are), & Secondly, it presents the largest target to attack, thus, the highest "ROI" really)... apk