Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 26th, 2008

Researchers discover new cross-browser exploit that affects all major desktop platforms

Researchers are beginning to raise an alarm for what looks like a new browser security threat that affects all major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery are Robert Hansen and Jeremiah Grossman who have released droplets of information to highlight the severity of this issue.

The issue with clickjacking has nothing to do with JavaScript. When a user visits a malicious website, the attacker is able to take control of the links that the browser visits. It’s a fundamental flaw with the way browsers works and cannot be fixed with a simple patch. With this exploit, malicious web page can make visitors click on any link, any button, or anything on the page without user’s permission and even without user seeing it happening. The average end user would have no idea what’s going on during a Clickjack attack.

For example, Ebay would be vulnerable to this since it is possible to embed javascript into the web page, although, javascript is not required to exploit this. The exploit requires DHTML and forbidding frames (using framebusting code) will prevent cross-domain clickjacking, but an attacker can still force users to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment. The latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

In the meantime, a fix would be disabling browser scripting and plugins. Another fix would be using NoScript add-on for Firefox. In its default configuration it can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous). For 100% protection by NoScript, one must check the “Forbid <IFRAME>” option under “Plugins”.

Share this item with others:

More on CyberInsecure:
  • Serious Security Flaw In Firefox 3.0.7, Exploit Already Available
  • Security Firm Release Critical Vista Remote Vulnlerability Exploit
  • PC Webcams Might Be Abused Through Clickjacking To Silently Spy On Users
  • Drupal Multiple XSS and Request Forgery Vulnerabilities
  • Exploit Posted For Adobe Reader PDF Zero-day Vulnerability In ‘getAnnots()’ Javascript Function

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Researchers discover new cross-browser exploit that affects all major desktop platforms

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.