Clickjacking: The latest cross-browser attack vulnerability caused panic

Source: Internet
Author: User

News source: zdnet.com (CnBeta)
Security experts recently issued a warning that a newly discovered cross-browser attack vulnerability will cause terrible security issues that affect all mainstream desktop platforms, including IE, Firefox, Safari, opera and Adobe Flash. This security threat, called Clickjacking, was originally announced at the owasp nyc AppSec 2008 conference,Vendor requests, including AdobeDo not disclose the vulnerability until they release security patches.
Two security research experts, Robert Hansen and Jeremiah Grossman, discovered this vulnerability.One pointRelatedInformationTo display the severity of the security threat.

What is Clickjacking?

The two research experts said they had discovered no small problems. In fact, they were very serious. They had to take responsibility before disclosing the information, at least two vendors have already said they will provide patches, but the date is not fixed. At present, we only discuss this issue with a limited number of manufacturers, so the issue is very serious.

According to those who have participated in the semi-open demonstration in OWASP,This vulnerability is urgent.Will affect all browsers, and it has nothing to do with JavaScript:

  • In general, when you access a malicious website, attackers can control the access to some links in your browser. This vulnerability affects almost all browsers unless you use character browsers like lynx. This vulnerability has nothing to do with JavaScript. You can do nothing even if you disable the JavaScript function of your browser. In fact, this is a defect in the working principle of the browser and cannot be solved through simple patches. A malicious website allows you to click any link and click any button or anything on the website without knowing it.

    If this does not cause you to panic, consider the situation where a user is unaware and helpless when being attacked:

  • For example, on Ebay, JavaScript can be embedded. Although the attack does not require JavaScript, it makes the attack easier. Only the lynx character browser can protect yourself without dynamic content. This vulnerability uses DHTML. Anti-frame code can protect you from cross-site attacks, but attackers can still force you to click any link. Any clicks you make are directed to malicious links, so those Flash games will bear the brunt.

    According to Hansen, they have talked about this issue with Microsoft and Mozilla. However, they all said this is a very tricky issue and there is no simple solution at present.

    Grossman indicates that Microsoft's newest IE8 and Mozilla's newest Firefox 3 are not spared.

  • Currently, the only way is to disable the script and plug-in functions of the browser.

    Read more

  • Adobe Flash ads launching clipboard hijack attack
  • Firefox + NoScript vs Clickjacking

    International Source:Http://blogs.zdnet.com/security? P = 1972
    Chinese Translation:COMSHARP CMS

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.