Vuln. Alert: Browser 'Clickjacking'

[Ehtyar]

A vulnerability has been discovered that allegedly allows an attack to misrepresent the destination of a link on their website in order to lead the reader to a destination of the attackers choice. The details are thus far being withheld at the behest of Adobe.

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

Full Story

Ehtyar.

[Stoic Joker]

Anybody else get the impression that this is more of an Adobe issue, than a browser issue?

[Ehtyar]

Anybody else get the impression that this is more of an Adobe issue, than a browser issue?

-Stoic Joker (September 17, 2008, 11:09 AM)

Yes indeed. Though sensationalism is getting out of hand if they're using the phrase "affecting anyone who uses a browser to surf the web" when they're actually referring to adobe reader.

Ehtyar.

[app103]

Unless they are referring to flash, then it would involve both Adobe and almost every browser.

[Ehtyar]

Oh doi! *headdesk*

Ehtyar.

[hamradio]

My thoughts was they could be saying it is because if you use Adobe PDF Reader and the browser plugin...then it would be in every browser because of it. Not sure tho but thats my 2 cents.

[Stoic Joker]

Anybody else get the impression that this is more of an Adobe issue, than a browser issue?

-Stoic Joker (September 17, 2008, 11:09 AM)

Yes indeed. Though sensationalism is getting out of hand if they're using the phrase "affecting anyone who uses a browser to surf the web" when they're actually referring to adobe reader.

Ehtyar.

-Ehtyar (September 17, 2008, 03:40 PM)

I'm thinking maybe we jumbed the gun on calling this poo. I ran across the following articles that while not directly related, does seem to depict the type of exploits available using this attack surface.

http://searchsecurit..._gci1324395,00.html#

Refers to:

http://taossa.com.ny...protection-bypasses/

Which contains the paper:

http://taossa.com/ar.../bh08sotirovdowd.pdf

Which was a bit over my head in spots, but the parts I could follow are quite troubling. It seems that ALSR, DEP, & NX can all be somewhat bypassed using techniques outlined in this article.

Thoughts?

[Ehtyar]

All about active content. If I thought the average user even knew what that term meant I'd say NoScript should be compulsory for every browser user. Alas that won't be happening, and users who continue to ignore online threats will continue to be bit by them, and I'll have news like this to report each week.

Ehtyar.

[cmpm]

Well these folks have to come up with something to keep them having a job!

They were ready to make the 'exploit' public in their own way.
Funny, adobe knew about it.

[Stoic Joker]

Actually it looks like Sun (Java) boned it worse than Adobe (acrobat & Flash).

Sure killing all scripting works, but it's throwing the baby out with the bath water ... There has got to be a balance point somewhere.  I was actually hoping for a bit more detailed discussion about the exploit.

[Ehtyar]

Why is killing all scripts throwing the baby out with the bathwater (assuming of course the end user has the sense to enable scripting they trust)?
The article is specifically about the lack of info. regarding the exploit. It is unlikely we will get details until adobe has had their way with it.

Ehtyar.

[Stoic Joker]

Scripting in all its forms is far to prevalent, fueled by the need to pack more Wow into every page for a typical end user to be able to sort through what is and what is not OK. Compounded by the simple fact that "Bad Sites" are next to impossible to identify until after the fact. Sure some are obvious, but others (well intending but poorly secured servers) are much harder to spot until it's too late.

What Article? The one you started this thread with, or the one (paper link) I add above? The paper link I add above goes into great (memory stack & code level) detail on exactly what is being done with the popular browser plug-ins to bypass the various security mechanisms. It also includes some registry hacks which will help to mitigate the threat. <-That and other options are what I was hoping to have a discussion about.

[Ehtyar]

The article I referred to is about the fact that details of the vulnerability will not be released to the public at the moment.
Your article, while a very educational read, is very general in its details and is not specifically related to the "clickjacking" vulnerability specifically.
I fail to see the downside of NoScript + Firefox, it works very well for me
What would you like to discuss about the registry hacks?

Ehtyar.