A new zero-day threat has been discovered...one that affects almost all browsers in existence, and by inference, all operating systems. It is called 'clickjacking'.

It has been described as a "fundamental flaw" in modern browsers. Apparently the only browser that is totally immune to it is Lynx (http://lynx.isc.org/).

Clickjacking isn't a new attack vector, but according to Grossman and Hansen, it's one that is "severely underappreciated and largely undefended." What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx.

http://arstechnica.com/news.ars/post/20080926-new-clickjacking-affects-all-browsers-cause-remains-unknown.html

'Clickjacking' seems to be something that has been noted in passing, but never really looked at in much detail.

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

http://www.webadminblog.com/index.php/2008/09/24/new-0day-browser-exploit-clickjacking-owasp-appsec-nyc-2008/

Also, the NoScript add-in for the Mozilla family of browsers offers protection against some of the wordt parts of the exploit.

Read about this on slashdot this week. Disturbing to say the least.

I assume Google Chrome is not immune either, but haven't seen it mentioned.

The only browsers not affected are text only ones. Certain un-named Adobe programs are also affected.
No one really knows if there are active exploits out there using this since the effects are not easily understood at this time.

MJC's recommendation of Firefox with NoScripts is good advice:
http://blogs.zdnet.com/security/?p=1973

I hope that the exploit is fixed soon, but if someone does get hit by it, how can it be fixed?

This is an <IFrame> injection vulnerability. You can be infected by hacked popular and trusted sites. The infections can be almost any available malicious code. You click and the content is injected from an outside site instead of the one you are viewing.
I would defer to Budfred and Classicsoftware as to how to clean up the infections resulting from this.

You can be infected by hacked popular and trusted sites.
Can you expand or reference this particular aspect because that is what would be really worrying rather than an exploit that would only be found on nefarious sites. IFrame vulnerabilities are old hat and this appears (though there is scant specific information to date) to be a sophisticated use of the same.

If you are saying that normally trusted sites are being hacked that needs elaboration because one needs to know what to avoid. Unless the webhost itself was hacked it would seem an unlikely scenario since that would be the only way to alter the DHTML (in the main being scripts of one sort or another). On Content Management Systems, Blogs and Bulletin Boards this would only surely be possible if the provider allowed posters to insert actual DHTML code so since the PCGuide does not allow this (or any HTML) are you saying this site could be hacked in this manner.

The "type of infection" would surely be no different than that of clicking on any nefarious link.

Paul,
It is actually 6 flaws for the same issue:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115700&source=NLT_PM&nlid=8


"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls," Grossman said in an e-mail on Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."

Hansen seconded Grossman's example with one of his own. "Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. [The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack."

The researchers will release their findings once the software vendor who asked them to hold off the release gets their software patched (Adobe?)

I've read-up what I can about this issue and cant believe it is, as yet anyway, a serious threat from browsing the majority of trusted sites. It seems to be an extension of a Cross Site Request Forgery (http://en.wikipedia.org/wiki/Cross-site_request_forgery#cite_note-Ristic-1).

There would appear to be some combination of the use of an iframe with some DHTML or DOM event (proably a response to a mouse over event) in order to navigate away from a trusted to a nefarious site.

Of course if one regularly vists nefarious sites, notably warez and porn sites, then that's your own look out as far as I am concerned.

I'm open to correction but I can't see any way for peeps to craft any really malevolent url or img tags on this BB since they are always parsed into BB tags. A url could be hidden in the BB tags but should be visible in the status bar. Admittedly image requests from third party sites could trip a cookie from a specific user - but it would have to be that specific and it would be necessary to know that that peep used the particular (and vulnerable) 3rd party site to be included in the forgery.

I think that one would be safe from this potential vulnerability (on trusted sites) if one uses Firefox with NoScripts and with all Plugin Options checked in the NoScripts own Options dialogs - in particular including the iframe option. Anyone that is particularly paranoid should always log out of any sensitive sites that one is a member of - a good practice in any case.

ok i don't usually get involved in these threads (i don't know much) but this sounds serious

so i have done this in no scripts
http://i289.photobucket.com/albums/ll221/jiggyghallam/Untitled.jpg

that should be ok yes?

So what can this infection actually do? and what are the taboo things to click on the get it?

Also what is an <IFrame> :rolleyes:

So what can this infection actually do? and what are the taboo things to click on the get it?


Well, first this isn't really an infection...it is a gaping hole in all browsers that can lead to an infection. No user action involved.

With the right code in place, clicking on anything can lead to any kind of infection...the hole allows a third party to intercept and redirect clicks...and from what I understand of the available information, to do so invisibly and still allow the original, intended click to go through (<--really scary)...it is kind of like a keylogger for mouse clicks. Plus, the hole can also allow code to run that with full scripting, will actually perform a click.

Imagine this scenario...you arrive at your favorite game site...and somewhere along the line it has been 'injected'. You click on the log in button...but because of the 'clickjacking injection, your password is now going to a server controlled by someone other than the games site...it will probably go to the games site too...

Or, the login button can actually start a download...or lead to a nicely crafted window that will actually make you agree to a download (typical 'need a codec' for this content type thing)...

The most obvious use for this vulnerability is data interception/theft and not actual infections, because with the tightening of general security, it is harder to do 'stealth' infections these days...especially on the latest browsers/OS.

George Hallam:
that should be ok yes?
Yes, that will make you 99% safe per two sources quoted in the links on the vulnerability.

The vulnerability has been around for quite a while, giving the really bad guys time to use it, that is why mjc described it as zero-day. We don't know if it has been actually used in an exploit but once any vulnerability has become public it is certain to be tested to develop new attack vectors.
It is very stealthy, if it had been used, you would have to be monitoring the source information of every single page to detect this.

I'd say that chances are very good that some form of exploit for this has been around and in the wild...it would explain a number of the mystery/"I don't know how I caught" type infections, it just wasn't called this.

Now it has a name and the full extent of what can be done by exploiting this vulnerability is becoming known...it is no longer a 'mystery' attack vector and infections that can use it can now be fought...as soon as the patches are made.

Agreed, the really good bad guys usually don't brag about their successes, they only get caught if they get greedy.

I wouldn't get too paranoid just yet. The discoverers of the vulnerability haven't yet released exactly how its done and no doubt there will be patches or upgrades developed to overcome it when they do.

If you want to get a feel of what IFrames are then copy and post the following code into notepad and save it as something.htm

<html><head><title>IFrame Demo 1</title>
</head><body><h3>Hello inquisitive ones, here is an
Iframe that leads to Google. You can use
it and its buttons just as normally but it is all taking place as a
"window" throught this web page where this text appears.</h3>
<p><iframe src="http://www.google.com" height="400"
width="100%"></iframe></p>
<h3>And here is another one that goes to the PCGuide Forums. It
has had its
frame made invisible just so that you can see how an iframe could be
there but not immediately obvious if well crafted.</h3>
<p><iframe src="http://www.pcguide.com/vb"
frameborder="0" height="300" width="80%"></iframe></p>
</body></html>

Now the point is that one can be browsing a page in one location but with (visible or invisible) windows that cross domains to other sites. I have had to paste this as code because I cannot insert the meaningful HTML code (only vb bulletin board code) in a post. The BB software just wont parse it into source code for users to be affected by.

As far as I know the only way to get such code onto these forums would be to crack into the Pair's hosting area and modify the BB code there - not an easy prospect here.

Distant Image tags are a little different because in order to render them a request has to be made to the distant site. If you are really really paranoid then debar third party images into the bargain - but I'm sure this is not really necessary at this time.

my no scripts blocked it :p

thanks for to info guys http://www.xtremesystems.org/forums/images/smilies/thumbsup.gif

A couple of updates on this..

http://www.eweek.com/c/a/Security/Adobe-Releases-Clickjacking-Advisory-as-Demo-of-Vulnerability-Circulates/

http://www.microsoft-watch.com/content/security/microsoft_weighs_in_on_clickjacking.html?kc=MWRSS0 2129TX1K0000535

Glad to see NoScript has been trying to keep up with it. Although there seems to be some debate if XSS has anything to really do with it or not.

NoScripts is amazing. I just made sure all my PCs have it and I am good to go. It will be interesting to see who gets a patch out first. .MS of FF lol.

As to Adobe's advice on Flash, if you also use CCleaner, change the CCleaner applications default to keep from erasing the Flash settings since any changes to secure your Flash may be changed back when using the CCleaner program. A little annoying but necessary to keep the more secure settings in place.

I've pretty much out of habit always disabled those settings...

I use FlashBlock in Firefox to block running Flash without permission... With NoScripts, FlashBlock and AdBlock all running, it can be a hassle going to a site like YouTube, but it is also much safer...

Another update...

http://www.pcworld.com/businesscenter/article/152088/firefox_addon_blocks_clickjacking_attacks.html

I am running NoScripts v1.8.2.4 and it is a beautiful thing.
:)

I am running NoScripts v1.8.2.4 and it is a beautiful thing.
:)Try v1.8.2.8, just updated mine!..:cool:

Fred..

Now there are two checkboxes for blocking <IFrame> and one for ClearClick.

@ George Hallam - Nice new Avatar!
:)

Where can I download NoScripts?
Will net-search for it now...

Found it: www.noscript.net

If you have FireFox, you can just use the Tools - Add-ons to have it search... If you select the "See All Recommended Add-ons" under Get Add-ons, it is always on the list...

And more updates...

http://www.realtechnews.com/posts/6109#8220;clickjacking”%20earlier.%20%20While%20th e%20discoverers%20had%20promised%20to%20remain%20m um%20because%20the%20flaw%20affected%20an%20Adobe% 20product%20(which%20turned%20out%20to%20be%20Flas h),%20on%20Tuesday%20Israeli%20researcher%20Guy

If you have FireFox, you can just use the Tools - Add-ons to have it search... If you select the "See All Recommended Add-ons" under Get Add-ons, it is always on the list...

Cool - that sounds like the easiest method.

From the link mjc posted:

Aharonovsky’s demonstration used clickjacking tactics to reset Adobe’s Flash privacy settings, and turn on the computer’s webcam and microphone for remote spying. Serious stuff.

I always thought this might be possible, but this is the first time I have actually read about it being possible. When i'm finished with my webcam, I always put a strip of black insulation tape across the lens and microphone hole, so that if you activate the camera, it sees nothing but a black background, and the mic is so muffled that you can't really understand what is being said.

Paranoia?
Perhaps, but it would seem that hijacking people's webcams to spy on them when they don't even know it is something that can be done, makes the little bit of black tape worthwhile.

...or you could just unplug the camera...(but that don't really work for those people with laptops with built-in cameras)

Not sure I like NoScripts - it won't let you do anything. My web-mail won't work properly, attachments are disabled and other things irk me about it. I have disabled it for the moment, as I can't send an e-mail with photos to my sister, cos it keeps saying that the yahoo attachment server is trying to do something dangerous. I tried to save a draft of the e-mail, and NoScripts won't let me do that either, and I had to disable then restart Firefox, at which point I find out that the draft copy has not been saved thanks to NoScripts. Not really that impressed - feels like the "Cancel or Allow" thing in Vista. There can be such a thing as too much security...

You can 'whitelist' sites that you feel fairly confident in using...just go click on the little S with red 'blocked' symbol on it an "Allow" yahoo (there are a couple of subdomains that need to be allowed too, for Yahoo to work properly).

But for the most part, the sites that aren't 'allowed' are best left that way...YouTube is another one that needs to be allowed or you won't get anything.

You can actually Right Click anywhere on a page and it will offer the NoScripts options in the dropdown... I don't have any blocking on the originating sites that I use a lot, like here... I do hassle with several options when I visit YouTube or something like that... However, it has protected me enough to make it more than worthwhile...

Update,
Adobe has released a Beta of Flash 10:
http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_03.html

The new version allows client side control to mitigate clipboard attacks. Web pages may have to be modified to adjust to the new software. (Read Local Save and Load)

@ George Hallam - Nice new Avatar!
:)



cheers lol i like to keep them festive ;)

You can 'whitelist' sites that you feel fairly confident in using...just go click on the little S with red 'blocked' symbol on it an "Allow" yahoo (there are a couple of subdomains that need to be allowed too, for Yahoo to work properly).

But for the most part, the sites that aren't 'allowed' are best left that way...YouTube is another one that needs to be allowed or you won't get anything.

Perhaps I'll give it another go - got mad with the e-mail problem it created...