Clickjacking Exploit Affects All Browsers

Link from Information Week

Using Firefox with the NoScript extension and activating the NoScript option Forbid i frame is the best current protection. Update: NoScript has been updated to incorporate additional ClickJacking-specific protections.


This is generally good information, too, regardless of what browser or platform you use.




'Clickjacking' Attack Prompts Warning To Disable Browser Plug-Ins

The flaw affects Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera and could trick a user into clicking on content from another page.

By Thomas Claburn
InformationWeek
September 26, 2008 06:45 PM

A mysterious cross-platform Web browser exploit technique called "Clickjacking" has led to a call to disable all browser scripting and plug-ins until the vulnerability can be addressed.

U.S. CERT on Friday issued a warning about the technique. Citing a September 15 blog post by Jeremiah Grossman, founder and CTO of WhiteHat Security, U.S. CERT said, "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a Web page, they may actually be clicking on content from another page."

The government security agency also said the flaw affects most Web browsers and that no fix is available, but that risks can be mitigated by disabling scripting and plug-ins in one's browser.

For Firefox users, the NoScript Firefox extension can do that. Grossman in a blog comment posting also suggests the use of security-related plug-ins like FlashBlock, Adblock Plus, and CustomizeGoogle. (Presumably, these plug-ins should not be disabled.)

Clickjacking affects Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Opera.

"It affects all modern browsers," said Robert "RSnake" Hansen, founder and CEO of SecTheory.

Hansen likens clickjacking to cross-site request forgery, another form of Web attack. "It's a very straight-forward, simple attack," he said. "It basically just takes you mouse click and repurposes it for something that it wasn't originally intended for." Grossman and Hansen discovered the vulnerability and planned to discuss it at the 2008 OWASP USA, NYC security conference this week. But they decided to not to give their presentation because the issues they discovered were so serious that they felt compelled not to reveal the vulnerability until it can be addressed.

That has meant discussions with Adobe, Microsoft, and Mozilla, and other major browser vendors. The reason Adobe is involved is that its Flash software, installed in almost all of the browsers out there, can be used for a clickjacking exploit.

But the issue is not specific to Adobe Flash. "It is a generic thing," said Hansen. "Adobe is affected but the irony is that we don't think it really has much to do with them at all. They're affected but so are tons and tons of other things, Web sites, plug-ins, all kinds of stuff."

Hansen said this isn't an Internet-breaking bug along the lines of the vulnerability search researcher Dan Kaminsky disclosed in August. "Kaminsky's bug really, truly affected everyone, everywhere," he said. "You could do really nasty things to people without having any interaction with them whatsoever. Our bug, it does require user interaction. It's very point and shoot, very targeted. It works on a one-off basis. ...It is about the same severity as any of your normal buffer overflows that you'll find in modern browsers, the only difference being that, unlike a buffer overflow, you can't fix it quickly."

"I have not iterated through all the possibilities of this exploit, not even a little bit," he said. "I spent probably a week thinking about the problem, maybe two days coming up with exploit code, and another couple of hours looking at various Web sites, plug-ins, and others things, looking to see what might be vulnerable. And in the process of doing that, pretty much everything I poked at broke."

Ironically, Web sites that attempt to be more secure end up being less secure with regard to clickjacking. The reason, says Hansen, is that sites that try to protect against cross-site request forgery end up making themselves vulnerable to this attack.

 

Thanks @ John.. I get an error when trying to get in the NoScript extension... some file not found error. Any ideas?

 

When do you get the error? When downloading the extension, installing it, or setting the options?

 

When installing (the green install status bar was almost to the end).. and then it gave this error.

I am thinking if it was because of the AV??

Just to make sure > https://addons.mozilla.org/en-US/firefox/addon/722 its this one, right?

 

I just installed it without error in FF 3.0.1. What version of FF do you run? What other extensions/add-ons do you have installed?

 

That is the correct NoScript extension URL.

Are you by any chance running ThreatFire? I've been reading around the 'net here and there about it interfering with downloads and such. I do not run TF myself, and do not intend to, so have only second-hand knowledge.

 

3.0.3

have adblockplus, pdfdownload...

Yeah, running TF... I am trying to see if it works with TF off...

 

Yeah it was TF.. installed now...

But have no idea of how to set the options.. LOL..

For example, now with forbid i frame I don't see some parts of NBR.. the top middle box and the left box below the 'latest laptop discussions'... lol..

Guess I have to read through more to understand

Thanks anyways, John.

 

I actually whitelisted technologyguide.com and notebookreview.com (among others) in NoScript

You'll find that unless you want to be nagged to death (perhaps even more insistently than Vista's UAC), you will probably end up with a set of whitelisted URLs that you more or less "trust" in NoScript

 

me too, I whitelisted them.. and trying to understand better.. for the java plugins, etc options, if I enable forbid java, forbid adobe flash, forbid other plugins, then the effect will be global except for the whitelisted sites right???

 

Yes. Which is as you want it. You then have the choice. Many sites work without them. Yahoo and eBay are probably the most difficult to configure.

You might want to export the WhiteList as a text file. It can come in handy should you ever need to import it again.

 

Yeah.... I just tried with different settings, for different sites and once selected in the whitelist its fine... anyway, kinda seems a bit of pain though, particularly while browsing through many sites...... baaahhhh...

 

If you go to a lot of different sites, and new sites that you haven't been to before, you might want to look at some sort of virtualization (e.g.: ReturNIL; SandBoxIE; VMWare) and simply do whatever you want, secure in the knowledge that whatever you do is going to be discarded, so no permanent changes to your PC will be made. I'm not that adventurous in my web surfing, so I just close most of the ways in and out and take frequent backups.

 

Thanks, John... I get ur point...

I am not adventurous either.. still there are quiet a few journal sites and stuff that I visit, browsing from one back reference to another... though, it seems to be a one time affair.. once added to the whitelist, its all ok though... anyway, guess I'll get used to it and better safe than sorry on any day

 

The NoScript whitelist approach can be duplicated in IE using IE Zones. By disabling plugins and scripts in the Internet Zone, all sites visited except those you put in the Trusted Zones (white list) are prevented from using them. IE provides quick access to zones by double clicking the zone display in the status bar.

NoScript provides much simpler management to white listing, but it can at least be done in IE. And I imagine it is just as effective at clickjack prevention.

 

A new article, wroth giving a read through, IMO....


A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry

http://www.webmonkey.com/blog/A_Look_at_the__Clickjacking__Web_Attack_and_Why_You_Should_Worry

 

Thanks John for the article.
So, clickjackin' is the word du jour/semaine.

NoScript FTW!

 

I just read elsewhere that there is an update to the NoScript extension to Firefox regarding this topic.

 

BTW, if you would like to observe one of these, my own website apparently uses them. The main buttons on the initial page are blocked by NoScript.

 

I had reported this to the developer of NoScript and got word back that ClearClick Protection was not enabled for trusted sites by default because it needed additional testing by the masses and that it will be fixed in the next build. Once again, great support on an excellent extension!

 

Quite a bit more detail HERE

 

I reckon' I'm pretty safe with FF3 and NoScript.

 

most of such errors on Windows are caused by ThreatFire.