Firefox Plug-In Updated To Fight Clickjacking Attacks (NewsFactor)
Jennifer LeClaire, newsfactor.com 14 minutes ago
Mozilla is doing its part in the battle against clickjacking. The open-source company is offering an updated plug-in for the Firefox browser that blocks what security researchers call one of the most dangerous problems on the Web.
Clickjacking occurs when a person browsing a Web site clicks on an invisible link that leads them to a malicious site without their knowledge. Some never realize it even happened. A design feature in HTML that lets Web sites embed content from other sites makes it possible, which means nearly everybody is vulnerable.
The Firefox add-on, NoScript, is a well-known security plug-in. It is used to block all sorts of content types within Web pages. It is not a security scanner in the sense that it does not scan content with any form of signature database to look for specific known threats. Rather, it is a tool that enables you to block certain types of content. An update to NoScript includes a feature dubbed ClearClick to combat clickjacking.
Combating Clickjacking
According to Fraser Howard, principal malware researcher at SophosLabs, the new feature in NoScript is specifically designed to combat the user-interface redress attacks known as clickjacking and should help. However, there is a potential downside.
"Enabling the feature will result in some degree of false positives," Howard warned. "This is not a criticism of the product; more a reminder that given the widespread legitimate use of similar techniques, some false positives are inevitable."
Of course, the NoScript add-on alone isn't enough to solve the problem. That's because it only covers Firefox. The other 70 percent of the browser market is still open to clickjacking.
"User discretion is still an important factor in the defense against these attacks, just like any other," Howard said. "The usual common-sense guidelines apply to this, just like other forms of malicious Web attack."
More Fixes Expected
Security researchers expect other browsers to follow Mozilla and release some form of defense against clickjacking. In fact, Howard said some may already have this built in, though Mozilla has so far been the only one to announce it in the wake of the recent alerts about user-interface redress attacks.
"The problem is doing this without breaking sites and Web applications we have come to rely on," said Howard, noting that defending against clickjacking is a complex problem. "There is no silver bullet."
Web applications could also be targeted. Howard noted proof of concept demos he's conducted that abuse the Web page Adobe uses to administer a user's Flash security settings. In one proof of concept called "the clicking game," victims are encouraged to click in the right places to reconfigure the security settings that allow access to a Webcam or microphone.
In a similar way, Howard said, imagine an attack that woos victims to click on the necessary objects within their favorite Webmail application to delete all their mail. There are numerous ways to envisage an attack targeting an application you are already authenticated to when you happen across a malicious page, he noted.
"The owners of those applications can take steps to eliminate or minimize risk. For example, Adobe added a simple block of JavaScript to prevent a site being able to frame in their security settings config page," Howard said. "Other fixes could be to ensure there are additional steps, such as a CAPTCHA [distorted image] or password, involved in any actions that are potentially dangerous."