Clickjacking: Researchers raise alert for scary new cross-browser exploit

Quote:

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready. The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue. So, what exactly is Clickjacking? Clickjacking details emerge According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript: * In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

I'm still reading the article but thought to pass it on for some of you smart people to take a look at it and see what'sup.
_________________
You can't hold a liberal responsible for their words because it's character assassination.

Ewwwww! Guess it's a good idea to mouse over a link and look where it's taking you before you click.

Don't know if this will help. It's a Firefox add-on that has identified a lot of malicious websites. I use it.

WOT, Web of Trust

Bummer
_________________


Women and cats will do as they please, and men and dogs should relax and get used to the idea. - Robert Heinlein

My AV scanner has popped up a couple of boxes about a threat on a couple of links. It asks me do I want to continue,I tell it no,and it closes it down. This has just happened in the last month.

Still..... BUMMER!!!
_________________

Sirwen wrote:

My AV scanner has popped up a couple of boxes about a threat on a couple of links. It asks me do I want to continue,I tell it no,and it closes it down. This has just happened in the last month. Still..... BUMMER!!!

_________________
Do not be quick to take offence, for it is fools who nurse resentment . King Solomon

This is not a virus or something that can be blocked currently. I als don't know if it's out in the wild yet. Got distracted at work and couldn't finish this read today. Will do later.
_________________
You can't hold a liberal responsible for their words because it's character assassination.

Quote:

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com

Not good !!

Here's how to mitigate the problem using Firefox..

http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html

I use noscript anyway so option #2 seems like a good approach for me.

This seems like a pretty good option until the root of problem is corrected.
_________________

"Linux is more than an OS, it's a state of mind."

From the site GW posted.

That was quick and easy. Good link GW!

This should work for other browsers too.
Option #2: Use Noscript To Stop Attack

Download latest version of NoScript firefox plugin. NoScript for Firefox pre-emptively blocks
malicious scripts and allows JavaScript, Java and other potentially dangerous content only from
sites you trust. Once installed restar firefox. Click on NoScript icon located on bottom right
status bar > Select options > Click on Forbid [IFRAME] > Ok


_________________


Women and cats will do as they please, and men and dogs should relax and get used to the idea. - Robert Heinlein