New Browser Vulnerabilities -“Clickjacking” Pose Fresh Web Threats

Security researchers warned on September 26, 2008 that a recently identified category of vulnerabilities named "clickjacking" could put users at risk while they surfing on any major browser. For instance, the security flaw could affect Microsoft's Internet Explorer, Apple's Safari, Mozilla's Firefox, Google's Chrome, and Opera and no patch is available for it.

The agency to first warn against the clickjacking method was US-CERT. Security specialists state that in clickjacking attacks, the attacker gets its victim to click on a malicious link while the user remains unaware of it.

According to Jeremiah Grossman, Founder and CTO of WhiteHat Security, US-CERT, clickjacking enables an attacker to deceive user into double-clicking on something that is scarcely or temporarily noticeable. Thus, if an end-user opens a Web page, he may be clicking on something malicious from a different page, as reported by InformationWeek on September 26, 2008.

Furthermore, people have been aware of this kind of attack for years, but it had never been regarded as particularly dangerous. Security specialists had thought that it could be employed to commit 'click fraud', or to inflate 'Digg' ratings pertaining to an Internet page.

According to Robert Hansen, Founder and CEO of SecTheory LLC, and one of the two security researchers who talked in detail about the bug at OWASP AppSec 2008 on September 24, 2008, although the clickjacking issue has been linked to browsers, it is far more severe, as reported by ComputerWorld on September 26, 2008.

Hansen further stated that clickjacking resembled 'cross-site request forgery', a known security flaw and attack, also denoted as CSRF or referred to as "sidejacking". However, clickjacking is different from the existing anti-CSRF security provisions packaged with browsers, Web applications and sites.

Hansen also noted that the flaw affects nearly everyone at an elevated level. It works quite differently and is associated with many wide-reaching problems, he said. Attackers in clickjacking technique can trick users into clicking a link they might fail to get the same users to open a link in JavaScript, Hansen added.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 06-10-2008

 

All SPAMfighter products offer a free trial!

SPAMfighter box shot

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

SLOW-PCfighter

Optimize your Slow PC for better performance. Try FREE scan now

Full disk or slow disk?
Disk space recovery
and disk optimization. Try FULL-DISKfighter free


Spam Filter for Exchange Server

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove spyware

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software

Antivirus software for your Windows PC - Free 30 days trial

<<<  >>> 

Compatible with Windows 7

Works with Windows Vista

SPAMfighter is

Microsoft Gold Certified Partner

Intel Software Partner