September 25th, 2008Clickjacking: Researchers raise alert for scary new cross-browser exploitPosted by Ryan Naraine @ 7:50 am Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready. The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue. So, what exactly is Clickjacking? According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:
[ SEE: Adobe Flash ads launching clipboard hijack attack ] If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.
According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment. Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.
Ryan Naraine is a journalist and social media enthusiast specializing in
Internet and computer security issues. He is currently security evangelist
at Kaspersky Lab, an anti-malware
company with operations around the world.
See his full profile and disclosure of his industry affiliations. Send tips, ideas and feedback to naraine SHIFT 2 gmail.com For daily updates on Ryan's activities, follow him on Twitter. This article originally published at: http://blogs.zdnet.com/security/?p=1972 |