Clickjacking: The latest cross-browser attack vulnerability caused panic

Security experts recently issued a warning that a newly discovered cross-browser attack vulnerability will cause terrible security issues that affect all mainstream desktop platforms, including IE, Firefox, Safari, opera and Adobe Flash.

This security threat, called clickjacking, was originally to be announced at the owasp nyc appsec 2008 conference, but vendors including Adobe requested not to disclose this vulnerability until they developed a security patch.

The vulnerability was discovered by two security research experts, Robert Hansen and Jeremiah Grossman. They have omitted some information to show the severity of the security threat.

What is clickjacking?

The two research experts said they had discovered no small problems. In fact, they were very serious. They had to take responsibility before disclosing the information, at least two vendors have already said they will provide patches, but the date is not fixed. At present, we only discuss this issue with a limited number of manufacturers, so the issue is very serious.

According to those who have participated in a semi-open demonstration in OWASP, this vulnerability is urgent and affects all browsers, and it has nothing to do with javascript:

• In general, when you access a malicious website, attackers can control the access to some links in your browser. This vulnerability affects almost all browsers unless you use
  Lynx character browser. This vulnerability has nothing to do with JavaScript, even if you close the browser's JavaScript
  The function is powerless. In fact, this is a defect in the working principle of the browser and cannot be solved through simple patches. A malicious website allows you to click any link without any knowledge, any button or website
  Anything.

If this does not cause you to panic, consider the situation where a user is unaware and helpless when being attacked:

• For example, on eBay, JavaScript can be embedded. Although the attack does not require Javascript, it makes the attack easier. Only
  The lynx character browser can protect yourself without dynamic things. This vulnerability uses DHTML and anti-Frame
  Code can protect you from cross-site attacks, but attackers can still force you to click any link. Any clicks you make are directed to malicious links, so those Flash games will bear the brunt.

According to Hansen, they have talked about this issue with Microsoft and Mozilla. However, they all said this is a very tricky issue and there is no simple solution at present.

Grossman indicates that Microsoft's newest IE8 and Mozilla's newest Firefox 3 are not spared.

• Currently, the only way is to disable the script and plug-in functions of the browser.

Read more

• Adobe Flash ads launching clipboard hijack attack
• Firefox + NoScript vs clickjacking

Http://blogs.zdnet.com/security? P = 1972
Source: comsharp CMS official website