Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Clickjacking Defense Will Require Browser Overhaul

The researchers who discovered the new clickjacking attack say fixes won't likely be coming soon

If you’re looking for a quick fix to protect your users from the new major “clickjacking” Web threat, it’s either disable all JavaScript, ActiveX, plugins, and iFrames, or revert back to an old-school text-based browser (think Linx). In other words, forget graphics or Web 2.0.

A no-GUI browser obviously isn’t realistic, but even disabling the cool features of the Web won’t guarantee protection from this invisible and potentially lethal Web-borne attack, according to Jeremiah Grossman and Robert (RSnake) Hansen, the researchers who discovered it. “There’s no way to avoid it,” says Grossman, CTO of WhiteHat Security . “It’s going to happen… that’s the problem with it.”

Grossman says he plans to finally go public with the details of this new form of clickjacking later this month at the Hack In The Box conference in Kuala Lumpur, Malaysia -- he and Hansen agreed to hold off on disclosing their new findings at last month’s OWASP USA security conference after Adobe requested time to patch an application found to be affected by the attack. (See Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)

The clickjacking concept is nothing new, but the threat that Grossman and Hansen discovered is. It spans multiple browser families and doesn’t even require that a user click on anything. Just loading a compromised page sets off the attack, and clicking on that page will likely make things worse for the victim, they say. “And whether JavaScript is on or off, it will affect you,” he says.

The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say.

Clickjacking is both a Web and a browser problem, but the fixes likely need to come from the browser vendors. But Hansen, founder of SecTheory LLC, says it’s not a single line of code-type fix -- it goes to the way browsers work.

“A true fix would likely require a complete rearchitecting of the browser,” Grossman says. “Those things don't happen quickly -- or maybe ever.”

The researchers have written “generic exploit code” of the attack, which Grossman will demonstrate via a video at Hack in the Box.

Paul Henry, lead forensic investigator for Forensics & Recovery LLC, says clickjacking and other Web threats are not just browser issues -- users aren’t installing the latest browser versions and patches. “We do not necessarily have a browser issue here -- we first and foremost have a browser and plugin patch management issue,” Henry says. “Patch our browsers and associated plugins, and you will dramatically impact Web-borne malware.”

Henry says Firefox 3.03 with a plugin called NoScript "absolutely rocks and is my browser of choice."

NoScript is a Firefox plugin that, among other things performs whitelisting of trusted sites, letting them run JavaScript and plugin content, but can also ban plugins and IFRAMEs on trusted sites as needed, says Giorgio Maone, a security expert who wrote NoScript. It basically lets the user click to enable these features on trusted sites and then “learns” those choices so that it does so automatically.

“If they [users] disable scripting, plugins, and frames all together, they're safe. This is a guaranteed way to protect against it, but a good portion of the Web becomes less usable,” he says. “NoScript and, to a minor extent, Opera's ‘Site Preferences,’ provide an easy and quick way to ‘default deny’ dangerous technologies while keeping usability on sites we trust.”

Maone maintains that the browser isn’t to blame for clickjacking. It’s the Web features we rely on today, he says. “Specifically, the abilities to incorporate documents, multimedia clips, and applets from different sources in the same page through frames and plugin embeddings, or to change the appearance and the position of every element of the page even dynamically using JavaScript and CSS, are something Web authors heavily rely upon today, but they're also the culprit of this and other security issues,” he says.

“The browser is really not to blame, at least in this case, because there's no ‘bug’ involved -- it’s just a flaw in the physiological way the modern Web is supposed to work,” Maone says.

Still, it doesn’t help that browser vendors are basically reacting to new threats rather than preempting them in their products, says Agnelo Fernandes, technical head for MicroWorld Technologies USA. “They are always in firefighting [mode],” he says.

Meanwhile, Grossman isn’t confident that browser vendors will come up with fixes any time soon. He says he doesn’t expect any comprehensive solutions for a year or more, although there may be some defensive fixes released sooner.

Mozilla and Microsoft say they’re currently investigating the issue. Bill Sisk, security response communications manager for Microsoft, said in a statement that the software company “will take steps to determine how customers can protect themselves should we confirm the vulnerability” and then either release a security update or tips for customers to protect themselves.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security
  • SecTheory LLC
  • Mozilla
  • Microsoft Corp. (Nasdaq: MSFT) Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Where Businesses Waste Endpoint Security Budgets
    Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
    US Mayors Commit to Just Saying No to Ransomware
    Robert Lemos, Contributing Writer,  7/16/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Now this is the worst micromanagment I've seen.
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-07-20
    An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
    PUBLISHED: 2019-07-20
    An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
    PUBLISHED: 2019-07-20
    An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
    PUBLISHED: 2019-07-19
    An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
    PUBLISHED: 2019-07-19
    A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.