Clickjacking details released after attack proof-of-concept emerges

By Dennis Fisher, Executive Editor 08 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The details of the so-called clickjacking attacks have been released, and it turns out the class of problems affect a wide range of software, including Adobe Flash, Internet Explorer 8 and Firefox.

It's not a simple patch. It's probably a re-architecting of the browser security model. ... It's something that affects everyone. Jeremiah Grossman, chief technology officer, WhiteHat Security Inc.

The attacks, which were first were disclosed late last month, enable attackers to employ a number of methods to trick users into clicking on malicious links, including overlaying entire pages, using malicious iFrames and even turning off the security protections in Flash entirely. The vendors whose products are affected by the attacks are at various points in the remediation process, but the researchers who discovered the attacks released the details Tuesday night after a proof-of-concept of one of the attacks hit the Web.

Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., wrote in a blog post detailing the clickjacking attacks that there are a number of different ways to accomplish clickjacking, and not all of the methods rely on JavaScript or cross-site request forgery (CSRF).

"First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot," Hansen wrote. "Some requires JavaScript, some doesn't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

The basic idea behind clickjacking is that it allows attackers to force Web users to click on a malicious link when they think they're clicking on something completely benign. For example, in one of the scenarios that Hansen and Grossman described, an attacker could construct a malicious Web page designed to install a rootkit or other malware on a user's PC and then overlay that entire page with a harmless-looking page, say one that has a Flash-based game on it. As the user clicks on the various links and buttons on the page, he is in fact clicking on hidden links controlled by the attacker.

SearchSecurity radio:

Hansen and Grossman also discovered ways in which the attacks can be used to silently take control of a webcam or microphone installed on a victim's machine.

Many of the issues that the researchers identified involve the use of Flash. There are separate problems with Flash in Firefox on Mac OS X and Flash in a beta version of IE 8. Adobe is in the process of addressing the Flash vulnerabilities in its upcoming release of Flash 10, Hansen wrote in his post, and Mozilla already fixed a problem with its NoScript plug-in in the latest releases of the add-on.

In an interview about the attacks before the details were released, Grossman said that although the kind of methods they used were known previously, their potential had been discounted.

"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."

Tags: Web Application Security,  Emerging Information Security Threats,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities Emerging Information Security Threats DDoS attacks hit U.S., South Korean government websites New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary