Thursday, September 25, 2008

Clickjacking - Multi-Browser Exploit

Further to and more serious than the reports in August regarding hijacked clipboards by Flash banner ads and used in rogue security software attacks, clickjacking effects Microsoft Internet Explorer (including IE8 Beta), Mozilla Firefox, Apple Safari, Opera as well as Adobe Flash. As quoted in an article at ZDNet by Ryan Naraine explaining clickjacking:
"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."
Users of Firefox do have a safety net with the NoScript add-on. With NoScript, you allow active content to run only from sites you trust.

Users of WinPatrol can help mitigate the effects of the clipboard hijacks by disabling Adobe Shockwave Flash with the ActiveX control in WinPatrol. (See WinPatrol 2008 introduced in its 10th year). To see how simple it is, just follow the illustrations I provided here, use the settings listed below and select disable for Shockwave Flash:
  • Only view ActiveX controls used by Internet Explorer
  • Toggle non-Microsoft ActiveX controls on/off.

References:



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: