If you’re looking for a quick fix to protect your users from the new major “clickjacking” Web threat, it’s either disable all JavaScript, ActiveX, plugins, and iFrames, or revert back to an old-school text-based browser (think Linx). In other words, forget graphics or Web 2.0.
A no-GUI browser obviously isn’t realistic, but even disabling the cool features of the Web won’t guarantee protection from this invisible and potentially lethal Web-borne attack, according to Jeremiah Grossman and Robert (RSnake) Hansen, the researchers who discovered it. “There’s no way to avoid it,” says Grossman, CTO of WhiteHat Security . “It’s going to happen… that’s the problem with it.”
Grossman says he plans to finally go public with the details of this new form of clickjacking later this month at the Hack In The Box conference in Kuala Lumpur, Malaysia -- he and Hansen agreed to hold off on disclosing their new findings at last month’s OWASP USA security conference after Adobe requested time to patch an application found to be affected by the attack. (See Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)
The clickjacking concept is nothing new, but the threat that Grossman and Hansen discovered is. It spans multiple browser families and doesn’t even require that a user click on anything. Just loading a compromised page sets off the attack, and clicking on that page will likely make things worse for the victim, they say. “And whether JavaScript is on or off, it will affect you,” he says.
The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say.
Clickjacking is both a Web and a browser problem, but the fixes likely need to come from the browser vendors. But Hansen, founder of SecTheory LLC, says it’s not a single line of code-type fix -- it goes to the way browsers work.
“A true fix would likely require a complete rearchitecting of the browser,” Grossman says. “Those things don't happen quickly -- or maybe ever.”
The researchers have written “generic exploit code” of the attack, which Grossman will demonstrate via a video at Hack in the Box.
Paul Henry, lead forensic investigator for Forensics & Recovery LLC, says clickjacking and other Web threats are not just browser issues -- users aren’t installing the latest browser versions and patches. “We do not necessarily have a browser issue here -- we first and foremost have a browser and plugin patch management issue,” Henry says. “Patch our browsers and associated plugins, and you will dramatically impact Web-borne malware.”
Henry says Firefox 3.03 with a plugin called NoScript "absolutely rocks and is my browser of choice."
NoScript is a Firefox plugin that, among other things performs whitelisting of trusted sites, letting them run JavaScript and plugin content, but can also ban plugins and IFRAMEs on trusted sites as needed, says Giorgio Maone, a security expert who wrote NoScript. It basically lets the user click to enable these features on trusted sites and then “learns” those choices so that it does so automatically.
“If they [users] disable scripting, plugins, and frames all together, they're safe. This is a guaranteed way to protect against it, but a good portion of the Web becomes less usable,” he says. “NoScript and, to a minor extent, Opera's ‘Site Preferences,’ provide an easy and quick way to ‘default deny’ dangerous technologies while keeping usability on sites we trust.”
Maone maintains that the browser isn’t to blame for clickjacking. It’s the Web features we rely on today, he says. “Specifically, the abilities to incorporate documents, multimedia clips, and applets from different sources in the same page through frames and plugin embeddings, or to change the appearance and the position of every element of the page even dynamically using JavaScript and CSS, are something Web authors heavily rely upon today, but they're also the culprit of this and other security issues,” he says.
“The browser is really not to blame, at least in this case, because there's no ‘bug’ involved -- it’s just a flaw in the physiological way the modern Web is supposed to work,” Maone says.
Still, it doesn’t help that browser vendors are basically reacting to new threats rather than preempting them in their products, says Agnelo Fernandes, technical head for MicroWorld Technologies USA. “They are always in firefighting [mode],” he says.
Meanwhile, Grossman isn’t confident that browser vendors will come up with fixes any time soon. He says he doesn’t expect any comprehensive solutions for a year or more, although there may be some defensive fixes released sooner.
Mozilla and Microsoft say they’re currently investigating the issue. Bill Sisk, security response communications manager for Microsoft, said in a statement that the software company “will take steps to determine how customers can protect themselves should we confirm the vulnerability” and then either release a security update or tips for customers to protect themselves.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.