A pair of application-security experts have found that a known browser attack technique has more far-reaching implications than previously thought, and say that attackers using the technique can force users to click on essentially any content they choose.
"We can do this with any button on any page anywhere," said Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., who, along with Robert Hansen, identified the serious implications of the technique recently. The pair had planned to deliver a talk on their findings at the Open Web Application Security Project (OWASP) conference in New York this week, but voluntarily canceled the presentation after showing their research to officials at Adobe Systems Inc., who became very concerned about the effect the attack could have on Adobe's customers.
The problem behind the technique, which Grossman and Hansen dubbed
"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."
Grossman said that he and Hansen, an independent security researcher, hope to release the details of their attack along with proof-of-concept code sometime soon, once Adobe has time to address the issue in its software. Grossman would not say which Adobe application the issue affects.
Although they decided not to deliver their original talk at OWASP this week, Grossman and Hansen gave a stripped-down version of the speech instead, omitting many of the details they had planned to include while still trying to get across the seriousness of the issue.
"The audience got the idea that this is bad, but we didn't talk about the specifics," Grossman said. "That will come later. The vendors thought they needed more time."
For the time being, the researchers suggested that concerned users start using Lynx, a text-only browser.