September 25th, 2008

Clickjacking: Researchers raise alert for scary new cross-browser exploit

Posted by Ryan Naraine @ 7:50 am

Categories: Adobe, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Exploit code, Firefox, Flash, Google, Google Chrome, Java, Locally Running Web Servers, Malware, Microsoft, Mozilla, Patch Watch, Research, Responsible disclosure, Vulnerability research, Zero-day attacks, eBay

Tags: JavaScript, Web Browser, Web Browsers, Scripting Languages, Internet, Software/Web Development, Web Development, Ryan Naraine

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

• In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

• Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  “It makes it easier in many ways, but you do not need it.”  Use lynx to protect yourself and don’t do dynamic anything.  You can “sort of” fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

• In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.