A no-GUI browser obviously isnt realistic, but even disabling the cool features of the Web wont guarantee protection from this invisible and potentially lethal Web-borne attack, according to Jeremiah Grossman and Robert (RSnake) Hansen, the researchers who discovered it. Theres no way to avoid it, says Grossman, CTO of WhiteHat Security . Its going to happen thats the problem with it.
Grossman says he plans to finally go public with the details of this new form of clickjacking later this month at the Hack In The Box conference in Kuala Lumpur, Malaysia -- he and Hansen agreed to hold off on disclosing their new findings at last months OWASP USA security conference after Adobe requested time to patch an application found to be affected by the attack. (See Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)
The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say.
Clickjacking is both a Web and a browser problem, but the fixes likely need to come from the browser vendors. But Hansen, founder of SecTheory LLC, says its not a single line of code-type fix -- it goes to the way browsers work.
A true fix would likely require a complete rearchitecting of the browser, Grossman says. Those things don't happen quickly -- or maybe ever.
The researchers have written generic exploit code of the attack, which Grossman will demonstrate via a video at Hack in the Box.
Paul Henry, lead forensic investigator for Forensics & Recovery LLC, says clickjacking and other Web threats are not just browser issues -- users arent installing the latest browser versions and patches. We do not necessarily have a browser issue here -- we first and foremost have a browser and plugin patch management issue, Henry says. Patch our browsers and associated plugins, and you will dramatically impact Web-borne malware.
Henry says Firefox 3.03 with a plugin called NoScript "absolutely rocks and is my browser of choice."
If they [users] disable scripting, plugins, and frames all together, they're safe. This is a guaranteed way to protect against it, but a good portion of the Web becomes less usable, he says. NoScript and, to a minor extent, Opera's Site Preferences, provide an easy and quick way to default deny dangerous technologies while keeping usability on sites we trust.
The browser is really not to blame, at least in this case, because there's no bug involved -- its just a flaw in the physiological way the modern Web is supposed to work, Maone says.
Still, it doesnt help that browser vendors are basically reacting to new threats rather than preempting them in their products, says Agnelo Fernandes, technical head for MicroWorld Technologies USA. They are always in firefighting [mode], he says.
Meanwhile, Grossman isnt confident that browser vendors will come up with fixes any time soon. He says he doesnt expect any comprehensive solutions for a year or more, although there may be some defensive fixes released sooner.
Mozilla and Microsoft say theyre currently investigating the issue. Bill Sisk, security response communications manager for Microsoft, said in a statement that the software company will take steps to determine how customers can protect themselves should we confirm the vulnerability and then either release a security update or tips for customers to protect themselves.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.