Clickjacking - Multi-Browser Exploit

Corrine · September 26, 2008, 04:04:25 PM

Clickjacking effects Microsoft Internet Explorer (including IE8 Beta), Mozilla Firefox, Apple Safari, Opera as well as Adobe Flash. As quoted in Clickjacking: Researchers raise alert for scary new cross-browser exploit at ZDNet by Ryan Naraine:

Quote"In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."

Users of Firefox do have a safety net with the NoScript add-on. With NoScript, you allow active content to run only from sites you trust.

NoScript Add-On: https://addons.mozilla.org/en-US/firefox/addon/722
NoScript Features: http://noscript.net/features

After installing NoScript, click Options > Plugins and check the box:

R-C · September 26, 2008, 04:43:02 PM

that is definitely some scary stuff.

R-C · September 26, 2008, 09:09:07 PM

is this the exact type of exploit used in the anatomy of a malware scam article or is this a variation of that or something different?
I think a lot of those antivirus xp ones I have seen involved iframe issues.

I have never used no-script how hard is it to get used to?
I so rarely use my windows boxes to surf any more I probably should put it on them for the rare occasion I do use them.
I know this can affect the browsers on linux too but the actual antivirus xp won't install so that is not a problem.

R-C · October 07, 2008, 07:37:34 PM

Just saw that no script has been updated this from the site
"# New exclusive ClearClick anti-Clickjacking technology to disable user interaction with partially obstructed or not clearly visible embedded objects. Enabled by default on untrusted pages, you can configure it to work on trusted pages as well in NoScript Options|Plugins; enforcing it everywhere will likely become the default after extensive testing.
# NoScript Options|Plugins|Opacize embedded objects preference to defeat opacity-based attacks."
http://noscript.net/
info
http://hackademix.net/2008/09/27/clickjacking-and-noscript/

Corrine · October 07, 2008, 11:48:54 PM

I received a FF notice that htere was a update to one of my add-ons. Sure enough, it was for NoScript.

See the latest update: Hello ClearClick, Goodbye Clickjacking!

R-C · October 08, 2008, 12:51:42 AM

good new article with example of it being performed using a game to take control of web cam.
http://blogs.zdnet.com/security/?p=2005
Quote:
"In Guy Aharonovsky's demo game, a Web page is set up to seamlessly hide another page in the background that's actually managing the target's Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user's clicks to modify the Flash privacy settings and take complete control of the installed webcam.

If you don't want to try it or don't have a webcam connected, you can see the attack in action in this YouTube video.YouTube video"

Clickjacking - Multi-Browser Exploit

Corrine

R-C

R-C

R-C

Corrine

R-C