17 October 2008
The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.
What's worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.
Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.
By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.
The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in.
"If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security," Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.
Disguised links lurk behind clickable buttons
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.
They point out that even users who watch their systems like a hawk can be victimized.
"There's really no way to know if what you're looking at is real," Hansen told Windows Secrets.
In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a "new class" of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.
Clickjacking isn't new. In fact, it dates back to at least 2002, Hansen said. What's new is the range of browser vulnerabilities that make clickjacking possible.
Hansen's blog posting describes the scope most clearly:
"Most browsers are going to be vulnerable," Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft's upcoming browser to be patched by the time it's released later this year.
Comments: Post a Comment