The details of the so-called clickjacking attacks have been released, and it turns out the class of problems affect a wide range of software, including Adobe Flash, Internet Explorer 8 and Firefox.
The attacks, which were first were disclosed late last month, enable attackers to employ a number of methods to trick users into clicking on malicious links, including overlaying entire pages, using malicious iFrames and even turning off the security protections in Flash entirely. The vendors whose products are affected by the attacks are at various points in the remediation process, but the researchers who discovered the attacks released the details Tuesday night after a proof-of-concept of one of the attacks hit the Web.
The basic idea behind clickjacking is that it allows attackers to force Web users to click on a malicious link when they think they're clicking on something completely benign. For example, in one of the scenarios that Hansen and Grossman described, an attacker could construct a malicious Web page designed to install a rootkit or other malware on a user's PC and then overlay that entire page with a harmless-looking page, say one that has a Flash-based game on it. As the user clicks on the various links and buttons on the page, he is in fact clicking on hidden links controlled by the attacker.
Hansen and Grossman also discovered ways in which the attacks can be used to silently take control of a webcam or microphone installed on a victim's machine.
Many of the issues that the researchers identified involve the use of Flash. There are separate problems with Flash in Firefox on Mac OS X and Flash in a beta version of IE 8. Adobe is in the process of addressing the Flash vulnerabilities in its upcoming release of Flash 10, Hansen wrote in his post, and Mozilla already fixed a problem with its NoScript plug-in in the latest releases of the add-on.
In an interview about the attacks before the details were released, Grossman said that although the kind of methods they used were known previously, their potential had been discounted.
"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."