Back to News
A month known for receiving lots of "treats," October may turn out to be mostly tricks for web surfers.
A new malicious web activity has recently been unveiled known as "clickjacking." A technique that tricks web surfers into sharing confidential information on seemingly harmless websites, as well as taking control of a user's webcam or microphone, can lead to a world of problems for us if we're not cautious.
Clickjacking has been identified as attacking Adobe Flash players, along with every major web browser such as Internet Explorer, Safari, Firefox, Opera, and even Google's Chrome. Because the creation of a clickjacking site is relatively simple, anyone with basic scripting knowledge can build their own.
Experts warn that "there are literally infinite ways to implement such an attack, therefore no signature-based scanning can detect it automatically." Flash clickjacking is only one of the variants of the problem.
Robert Hansen, CEO of SecTheory, who's been involved in identifying the issue, explained "some of it requires cross-domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."
Prevention
Adobe has put out a security announcement instructing users how to turn off the Flash access to cameras and microphones. They are also working on a patch for Adobe Flash that should mitigate some of their security vulnerabilities on their side. The patch is intended to be ready by the end of October.
NoScript Firefox extension was developed in 2006 to provide more protection for Firefox and other Mozilla web browsers. The add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice. This does help with the clickjacking epidemic, but of course only in Mozilla browsers.
While these might be helpful interim fixes, there will not be an immediate solution. That's because the real problem results from the features that are critical to the way our modern web functions. For instance, the way web pages are able to embed content from other sites, or host applets (mini-applications) by enabling plugins like Flash, Java, etc. These are now standard expectations both users and developers require, so we may not be open to changing such settings anytime soon.
Unfortunately, to guarantee our protection from such maliciousness, we will have to change our existing web standards. Only then will we possibly see a full resolution.
For more information on this:
http://news.yahoo.com/s/nf/20081008/bs_nf/62355
http://news.zdnet.co.uk/security/0,1000000189,39500483,00.htm
And remember, if you can't figure it out you can always call the Tech Helpline for further assistance! 866-432-3021
Still having trouble understanding this? Call the Technology Helpline, where we'll be happy to walk you through resolving any of these issues.
