Friday, September 26, 2008

New clickjacking affects all browsers; cause remains unknown

Clickjacking isn't a new attack vector, but according to Grossman and Hansen, it's one that is "severely underappreciated and largely undefended." What makes the attack noteworthy, in this case, is that it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web. The only browsers currently immune to whatever it is the two men discovered are text-based products, such as Lynx. ... Turning Javascript off is apparently useless—the attack doesn't use it. Instead, it takes advantage of what the two call a "fundamental flaw" inherent to all modern browsers, and an issue that cannot be fixed with a quick patch. Using a frame buster script will protect a person from assaults that utilize cross-domain scripting, but will not prevent the attack from operating normally if it's on a page the user is visiting. - atech

No comments: