topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday November 13, 2024, 8:12 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Vuln. Alert: Browser 'Clickjacking'  (Read 11924 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Vuln. Alert: Browser 'Clickjacking'
« on: September 17, 2008, 03:47 AM »
A vulnerability has been discovered that allegedly allows an attack to misrepresent the destination of a link on their website in order to lead the reader to a destination of the attackers choice. The details are thus far being withheld at the behest of Adobe.

Screenshot - 17_09_2008 , 6_44_43 PM_thumb.png


In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

Full Story

Ehtyar.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #1 on: September 17, 2008, 11:09 AM »
Anybody else get the impression that this is more of an Adobe issue, than a browser issue?

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #2 on: September 17, 2008, 03:40 PM »
Anybody else get the impression that this is more of an Adobe issue, than a browser issue?
Yes indeed. Though sensationalism is getting out of hand if they're using the phrase "affecting anyone who uses a browser to surf the web" when they're actually referring to adobe reader.

Ehtyar.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #3 on: September 18, 2008, 08:07 AM »
Unless they are referring to flash, then it would involve both Adobe and almost every browser.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #4 on: September 18, 2008, 08:24 AM »
Oh doi! *headdesk*

Ehtyar.

hamradio

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 883
  • Amateur Radio Guy
    • View Profile
    • HamRadioUSA.net
    • Read more about this member.
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #5 on: September 18, 2008, 12:56 PM »
My thoughts was they could be saying it is because if you use Adobe PDF Reader and the browser plugin...then it would be in every browser because of it. Not sure tho but thats my 2 cents.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #6 on: September 21, 2008, 09:22 AM »
Anybody else get the impression that this is more of an Adobe issue, than a browser issue?
Yes indeed. Though sensationalism is getting out of hand if they're using the phrase "affecting anyone who uses a browser to surf the web" when they're actually referring to adobe reader.

Ehtyar.
I'm thinking maybe we jumbed the gun on calling this poo. I ran across the following articles that while not directly related, does seem to depict the type of exploits available using this attack surface.

http://searchsecurit..._gci1324395,00.html#

Refers to:

http://taossa.com.ny...protection-bypasses/

Which contains the paper:

http://taossa.com/ar.../bh08sotirovdowd.pdf

Which was a bit over my head in spots, but the parts I could follow are quite troubling. It seems that ALSR, DEP, & NX can all be somewhat bypassed using techniques outlined in this article.

Thoughts?

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #7 on: September 21, 2008, 04:00 PM »
All about active content. If I thought the average user even knew what that term meant I'd say NoScript should be compulsory for every browser user. Alas that won't be happening, and users who continue to ignore online threats will continue to be bit by them, and I'll have news like this to report each week.

Ehtyar.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #8 on: September 21, 2008, 04:33 PM »
Well these folks have to come up with something to keep them having a job!

They were ready to make the 'exploit' public in their own way.
Funny, adobe knew about it.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #9 on: September 21, 2008, 09:42 PM »
Actually it looks like Sun (Java) boned it worse than Adobe (acrobat & Flash).

Sure killing all scripting works, but it's throwing the baby out with the bath water ... There has got to be a balance point somewhere.  I was actually hoping for a bit more detailed discussion about the exploit.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #10 on: September 22, 2008, 12:37 AM »
Why is killing all scripts throwing the baby out with the bathwater (assuming of course the end user has the sense to enable scripting they trust)?
The article is specifically about the lack of info. regarding the exploit. It is unlikely we will get details until adobe has had their way with it.

Ehtyar.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #11 on: September 23, 2008, 05:31 AM »
Scripting in all its forms is far to prevalent, fueled by the need to pack more Wow into every page for a typical end user to be able to sort through what is and what is not OK. Compounded by the simple fact that "Bad Sites" are next to impossible to identify until after the fact. Sure some are obvious, but others (well intending but poorly secured servers) are much harder to spot until it's too late.

What Article? The one you started this thread with, or the one (paper link) I add above? The paper link I add above goes into great (memory stack & code level) detail on exactly what is being done with the popular browser plug-ins to bypass the various security mechanisms. It also includes some registry hacks which will help to mitigate the threat. <-That and other options are what I was hoping to have a discussion about.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Vuln. Alert: Browser 'Clickjacking'
« Reply #12 on: September 23, 2008, 04:15 PM »
The article I referred to is about the fact that details of the vulnerability will not be released to the public at the moment.
Your article, while a very educational read, is very general in its details and is not specifically related to the "clickjacking" vulnerability specifically.
I fail to see the downside of NoScript + Firefox, it works very well for me :)
What would you like to discuss about the registry hacks?

Ehtyar.