Clickjacking: The latest cross-browser attack vulnerability caused panic

News source: zdnet.com (CnBeta)
Security experts recently issued a warning that a newly discovered cross-browser attack vulnerability will cause terrible security issues that affect all mainstream desktop platforms, including IE, Firefox, Safari, opera and Adobe Flash. This security threat, called Clickjacking, was originally announced at the owasp nyc AppSec 2008 conference,Vendor requests, including AdobeDo not disclose the vulnerability until they release security patches.
Two security research experts, Robert Hansen and Jeremiah Grossman, discovered this vulnerability.One pointRelatedInformationTo display the severity of the security threat.

What is Clickjacking?

The two research experts said they had discovered no small problems. In fact, they were very serious. They had to take responsibility before disclosing the information, at least two vendors have already said they will provide patches, but the date is not fixed. At present, we only discuss this issue with a limited number of manufacturers, so the issue is very serious.

According to those who have participated in the semi-open demonstration in OWASP,This vulnerability is urgent.Will affect all browsers, and it has nothing to do with JavaScript:

In general, when you access a malicious website, attackers can control the access to some links in your browser. This vulnerability affects almost all browsers unless you use character browsers like lynx. This vulnerability has nothing to do with JavaScript. You can do nothing even if you disable the JavaScript function of your browser. In fact, this is a defect in the working principle of the browser and cannot be solved through simple patches. A malicious website allows you to click any link and click any button or anything on the website without knowing it.

If this does not cause you to panic, consider the situation where a user is unaware and helpless when being attacked:

For example, on Ebay, JavaScript can be embedded. Although the attack does not require JavaScript, it makes the attack easier. Only the lynx character browser can protect yourself without dynamic content. This vulnerability uses DHTML. Anti-frame code can protect you from cross-site attacks, but attackers can still force you to click any link. Any clicks you make are directed to malicious links, so those Flash games will bear the brunt.

According to Hansen, they have talked about this issue with Microsoft and Mozilla. However, they all said this is a very tricky issue and there is no simple solution at present.

Grossman indicates that Microsoft's newest IE8 and Mozilla's newest Firefox 3 are not spared.

Currently, the only way is to disable the script and plug-in functions of the browser.

Read more

Adobe Flash ads launching clipboard hijack attack

Firefox + NoScript vs Clickjacking

International Source:Http://blogs.zdnet.com/security? P = 1972
Chinese Translation:COMSHARP CMS