How serious is the fallout from the Google Chrome clickjacking vulnerability? Is there a mitigation that can be put in place to avoid serious issues stemming from this vulnerability, or should users consider switching to another browser?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Clickjacking is where malicious code is hidden on a webpage, which gives the impression that a user is clicking on a legitimate link instead of something malicious. The clickjacking vulnerability in Google Chrome was recently identified by security researcher Luca De Fulgentis on support.google.com. The vulnerability allowed a malicious webpage with the exploit code for the clickjacking vulnerability to extract potentially sensitive data from Chrome like email address. This Google Chrome vulnerability is a serious issue, but all of the major Web browsers have suffered clickjacking vulnerabilities at some point. Microsoft, Google and other browser vendors have been working on clickjacking defenses since at least 2008.
One of the significant benefits of Chrome is its support of the Google software development process, which includes rapid updates and improvements to address security vulnerabilities. While the frequent updates and pace of change might be difficult for enterprises to manage, the auto-update functionality helps make updates more manageable.
Protecting from these types of attacks requires securing the desktop and browsers in use and making major changes to the browsers. Switching to a different browser is not going to fix this issue because, as I mentioned, all of the major browsers are or were vulnerable to a clickjacking attack on specific websites. There are also costs involved with switching browsers that might outweigh the potential benefit. An anti-malware tool or intrusion protection system network device might provide protections against these attacks. Clickjacking attacks are also typically website and browser dependent, so if this is a potentially high risk in your environment, the website in question could be blocked or restricted to only allow access to certain Web browsers via a Web proxy.
This was first published in June 2013