|
|
|
From IE 8 to Google Chrome, Keep an Eye on Clickjacking
By: Brian Prince
2009-01-29
Article Rating: / 15
There are 2 user comments on this Network Security & Hardware story.
First Microsoft touts clickjacking protections in Internet Explorer 8, then a security researcher releases a proof of concept for a clickjacking attack targeting the Google Chrome Web browser. Clickjacking, some say, remains an issue that will require cooperation in the security community.Clickjacking is not going away.
The same week Microsoft announced on Jan. 26 it had put protections
against clickjacking in Internet Explorer 8, security researcher Aditya Sood
posted on BugTraq on Jan. 29 a new clickjacking advisory for
the Google Chrome browser, with a link to a proof of concept.
Officials at Google said they are aware of the issue, which affects Chrome
versions 1.0.154.43 and earlier. So far, Google says it has not seen any
attempts to exploit this vulnerability in the wild. Though the posted advisory
only mentions Google Chrome, there are reports that the same vulnerability
affects Mozilla's Firefox 3.0.5 as wellthough this can
be mitigated by using the ClearClick anti-clickjacking feature contained in the
NoScript plug-in for Firefox.
Internet Explorer 7 does not seem to be affected by Sood's method.
Still, clickjacking has affected all the major browsers. The technique was
publicized in 2008 by security researchers Jeremiah Grossman, CTO
of WhiteHat Security, and Robert Hansen. If done successfully,
clickjacking can trick users into clicking on links without their
knowledge and effectively circumvents cross-site request forgery protections
that attempt to confirm transactions with the user.
In Sood's proof of concept,
available here, users click on what appears to be a link to Yahoo.com, but
actually directs them to a site about cross-site scripting. Sood wrote:
A clickjacked page tricks a user into
performing undesired actions by clicking on a concealed link. On a clickjacked
page, the attackers show a set of dummy buttons, then load another page over it
in a transparent layer. The user thinks he is clicking the visible buttons,
while he/she is actually performing actions on the hidden page.
The hidden page may be an
authentic page, and therefore the attackers can trick users into performing
actions which the users never intended to do and there is no way of tracing
such actions later, as the user was genuinely authenticated on the other page.
While Sood's post focused on Google Chrome, a Google spokesperson was quick
to point out that clickjacking is a larger issue that affects all Web browsers.
"The issue is tied to the way the Web and Web pages were designed to
work, and there is no simple fix for any particular browser," the
spokesperson said. "We are working with other stakeholders to come up with
a standardized long-term mitigation approach."
Although Microsoft
put protection against clickjacking in the release candidate for Internet
Explorer 8, critics
contend that Microsoft's IE 8 RC 1 clickjacking solution is only
a band-aid.
"While it's positive that Microsoft has chosen to do something to
safeguard against clickjacking, the new security feature offers very limited
protections," Grossman said. "Web site owners can do more to protect
their visitors, but unfortunately the average Web citizen still has no way to
defend themselves on their own. So most experts will agree the
anti-clickjacking feature will do little to stem the near-term risk."
Grossman suggested browser vendors consider bundling in the NoScript Firefox
plug-in by default.
"NoScript has powerful security features that can prevent clickjacking
as well as many other Web-based attacks, which also allows users to tune their
own level of desired security," he added. "For Internet Explorer,
Opera, Google Chrome, etc., they should embed similar features and
functionality in their products."
Johnathan Nightingale, a security researcher for Mozilla, said Mozilla's
efforts around preventing clickjacking have been more focused on comprehensive
solutions like its Content Security Policy proposal and implementing the Origin
header to thwart cross-site request forgery attacks.
"We've discussed these publicly with other
browser makers and the broader Web security community to ensure that we are
helping them prevent the attacks they're concerned about, and to benefit from
their experience," Nightingale said. "Changing the way we do security
on the Internet needs to be a group effort, and we'd welcome the participation
of the IE team in that work."
|
|
�������xr㶲0;; ʷ♵MR-b[^f&uT� I)|Izgy��oP/�gq2DFh4��$sW7-gL.\sfS;uA@
Y>%�>{�'(+o��1m�n�f](� _h���7wGlJ AT�1�v�RM� Ɠ5?X1 |+[S}L��q~qlv�.hvLIlG�t�uGѦ�%H�x�u)t�(D�HږyH6�EG�J;�ߣ*C7�ݩx8/DeOX�HYɼ�Mc�Aq4��5A�[h���=k~�|�E�k��0Ni�?��@Sա*"U�{Q5hw��/E� /B1r!f-{4�M*-�D�FL$�y$�f�=��Qw^A]õ]��ZΑR͌e�:o� tG
ob=u�ק&Y!
.�$g�>�N_FBԿBK�8VR=/y�
y�>z:t^u ¿�yo@סn}w�d&a-Q,s&"U+����wS�&��>�dRr[dQ�Ȳn�Mw�3a[mѡlطZkuE9,},^/[��,\hӟoF_{JU4Eٿ]vή
$QPw;@
VҝuP\ti\v??
ǁ#�ñ B'?Fj��}�&UJD�Z-�i&
�_������?.gN{���] x�[�K�j%�٥~hY̞o���f�V҈�g�UUY:lni_Wם^gGם)7f٘Y�ji�Ud�\�]2�,�U5M{#kr9n�3鐚&�tXaV|]kU[_{�o!&w�@"rVJze_R�?#3p=jI�o]}::�$7cY>韐/ !}_w��nr@
i/�],��,Y`M����Imdʩ�$��S@kNXҬ[c�W M�Z!r)
u$u(��7�>hr�
Q@e)#p?�݇I��hJq�䨉k>ذ�1�"%��iJyO{�Ջ�"�}Et"AͩO�W�%ތ�1E|r'�E�!\J�!=!��0!p,j4p�O�ಖyp1Bwެ-�ej4ޙϋ~ӲKwqnUO�^
S�35ލh�.B2i�%!�8W5MGVOL絯Tf~X�}U9-z�Qn�ʼnl�:2X�
jXR7HaQ�gt�A`�:)ҧ!>RӚM�CqRO#Gs�>H2AG61^�zK
ucb���>'�a�
;p�w�>-Fv13�{Q �{>�0i��CkJ�QD4�״
�l"��]�LR}�l��8d
$(s>w[L,)`��wCP�b�L{��TM`�@#g ,z���C��
�
@�l�߃5�#~[-[�Z6x�O͙A }�]x~9-R���C1@|JIIL"D%� R
h��4�A�G�EBEN�m�bo$H�XVph�T6ݞ�H:w@T�*esRأXB�Y�X/E_R�23#Cdɬa���X�91{M�f�T`"[ᛥLKa�k`F\jI$M#A�ӐIqL�Zۯ(�C�eE�g�l;��S�8#_Όp�?[~8�t��)�iBI ?,xpoFaB?5fѪ)C&=��B3A�~6;:�-��Ȧ��5��}j�0B11
�}wʠ:�'���E_
PޖKGxL(=
}Y9&4�Y
�̇J�>5nV�AL � �|�U=kb�$`~�
}iȜ^dtTRo?mM�v;p�pZ#�{��+%UV�L�G,m+^�viz\�[6`�aP�eQ@7MVRQy5�:Ǯ�Awm0H{{L'!���|2躢G�ű<��bj\X,��~�)©5r1|��jj�0!B,V�ũ��(j^;<�1��
�r]ilu�0q`(1Z3:uV*_M;$!W7wIQ)0�kM8v�9E1ǁ^{E[#
��F:�7�a/S" @�4��
y�� *�Ozq� �
b
(h
bAzpS
(�[�XR7,P��УGk]W9(#߬0h�h<]HzT%דCjvXVk�qvJ.∣8
�k�trF�g}qs`ћx?Sc`9g?7��`3�|x+ߙ�[Wae�Ƙ]H�`�c+0\ �+RU0p5K�2)N<:�a��r]TՑn
OQ��GA.C{��Mt��Ak[�,
�ܠYA�aiϖ}^.-y~R%'��ޯњ
nE`���9^R˶SN+X@�8���u4�[\Y��W`
>�~6F8bƏ�aj4X[�%}g��zoB6ELt0ȐNǝ�Wlȡ0tR\AO�q�?:(TZ�7cm{H^ac7U�[@oRF)�'�[WNj&h\�JEWDI�V`]j�X�|8.SoR~��Qjy6UG�3>�dߊ��zf!�1@:;J#qSՆ�n���VIu9dLfaNg1�0ck&&�w�?g`̦v_߯X17(p��O,УG'~�3O>�"�Ǥ�|e�2,tn1�a%[[2|'@�d���93��NQg�|0kռfwṛ:
�߀&�?\@qc�`��n} 2v"=zJ*~1'Yo\
ܮ:R�J
r1�]�]2�Y1�Gci��}�[U�ה1�Ze�ɲ7)Ь6�V�#�i��e.N3)a(&6}j;_&*|)2S�G)kEXqk\U�C=,N
=X畔Z=4¢lz�
z�|�Ic#&�a\kxk�_(uO(Ke嵤:i1RʵRM()BoE��잔n,��:
ĕ,6" ���l[
ezפ_+�Gs;"Jgԋb��r{q>'F{�4�l�G�j+jBgyr�`�3O?f#[i�Yy�Vum4ItH�"5Hq+�$˴%I?N�����0QtA�*}/*\$�Iv3ҿ��BGD�o0|����^%
RfCZִ2hw
ĶVU�'}D.,ӄ>zA�rVS�=YKrv�zJ5��dP�e�Hb.XO}+�tS��1�wOX�L\
�tK�O�7ƒ"���GUI��D�oO�M1+�0ӭxѤĂ<➩�!�gtgD�Vt�TؗI3�\E]s>\z�4�\N3bn,q� ۯcg#s�}e�YLoH:g'u3��f�}�Rt4zUr:Hעo9Kj�}J_cNfo4��~�ѶPV=8Y,rh縕vI3�c~:)}A/mN9˝�~H�u(9�o�G j�E5p�XIS"�9oթ�-ݱ�S!O?${ݝ:��h푎c�Ʌ���p
p'a�wʜW#��`(� ?�Y�.�[ ��W�3lyRѵl�d@T7&�]���ZG9�X16q�w�v`#(;A�\[µS24,`�u��l3�Ljǥ̷rt`�?K.}:IK�09jJs dނ�>#��>n�2�}2JO�$hבּ�~QϜ�ƭtGv/zfCd�a�}~vkW}Fy�P1h�n'4vlLcI")VԺ57`\8%'+xr42��ӢI/n���P2Q^;pG %c�cmf�}ݸ;w{f�1vi�nw�JP�}|�]&
{~W�]ߣPIݣw);~=mҊ(�r�ZDq5U2'{II5)t}۴�
r�UCa��U�k§u,'i�_JWc#ZTޞ�1;l�TƊ f+�ꈧ W�ך�1� |cM5�%&p$~�M{fr+
�)?8���/VD�e�[b4v[8| rK#�3緢fdl娳̆*�X`ˤ}[X''\/'_wz7>ʋn>: ,��\�=�9q-�Gktx�n\0LS�,ܦ+ӗ.0,�9tm+j-C<1<& ~&�ޓs
oA6*�䩒yE��bK�QR]
e=I�X|1�xaAᅫDx[GNlP� 7JY$#�'g&RE-yLvq({P>I^0�Qx��@>s量B2m5i�S2PI�8>�n�Z4��[g=P��g@
?A��}uQ*J%3.p�y'H�?a[HQ1T= LFz�v=K4�"3�O��yf;.�GD�cteϐMG/uRm^+�Y1��X��� Q�$��Yx���fYN{.!
�==�
!WDgS\��.�mCTUҔs9쪽8^S x��H@Կ0J9G��
�{�G|
Xyo)E�Ӡ+ZݔJ/kv�b/Na8r���p�#߽%�) �
JVrX&u�^VZ�o�X%�% �|�8[2R\~qFΒ_�t��FO%�] :.1
T|�E+*18p�A(Q�oEN�O@swe6eK1o!$�`H7Tĝ٦t
E�zRV+9LJ�R$G�^DnM03I�Qa˞7i)SU_K{�$3@�;iJ\a%hj��(MU+,j�=VDG-pnTmϧל{:yυ�ܗK1lj�;j�aUH=Lףo5̵ rH@#A�M㋑c
i͗\T�R3�
�8B�!�"sVsVsVsV}g_[N��:�V5|��t�ٚ�!��wKQ,TJ5u,x3��x8Y <�o,Zݡ�[=�� C>OKsw6�s/
uWt5�)C�m�H�]�'#NTA3{RRQk+xL@'bpDg!@g����Ĉ'h�˽:"=`gؐ5K͚r-
���@:z��#f:SwX
5|��eC(�^"X#;�$UU*�L�vI.�.aT{d8�n@DDgA_W V�Q�7K��I,υ_�FB��Ӂjzdz t�lyKR]�ʶA
�k�iY[�y+F�.ދy�Z5_�Ά\Yy9$yJmgܒ�%\�f2;�+.��(+ݠ<8;y@;3XOm]nnWC^�/dwҖuo*l�i˘6�~}g5p\��,� q�%H�hO�*ʳGբB+"*|O�r
_ڱf^*wi)�:5555}^SRUok��'TR+҅�bvd0{��mW`��w?k=��Lq~�Exi
�0r*eVOwA�+oO�[�_9g!i.�]Yj -$Xdؽ7�[8==l݇y�`}WX 'U�*K�X73[w2�fЩ撇_�)FԂ|rLjJǘ s>zmN�:pQ��}M,�YD^ob^�PfI�5
�S�Ɓx��o#Lʣicެ꽾h�sSGkv�@Li+ҵ:^|SWF!�%ymgc!^۹*+]GQDyޑ0tW۽8Ho..PG8���ZAM+�rǮ�>X�)rφSTkʹj
,tSzK�\ ś;M6%@rO|k��gN"�&X^w;BtΠ6k?0[�X�xm]$~�?h��b+@M�t��6->,Oċ[{_<�@VE[6ө{G��+eYX
-}-�Xw�i���yG�YIj|!"�VJD:`�wCF3VL)�2h�Jf65ʻj`
�>�.��,>t5�.&{3h
Νk�(j#� {"^ڋm��8�$69ֲ̫�d=I��[��-{8R��xz1Cv1SP�0 0&SUⷦ{!^!jރ%��h�(N-£�E���Ro|֊�OZZYΞCm�>K��x,WBfT�nCn$XG}K:i�.�"�{�?~�T���O2 u̒fStg��f0}��Q�CpoW?oc-d�?�?߉od!?XSC �߉l>I8O:O%-x Q�)w{ν� ��$E]"][v;"(W�#BמQN|l:/,+jj}ط��&#�z)ŢW\̺�#.kjc��_M4�#zf@�]o7l�G?PM}яw�>�V*8E�*=6i[��Ʈ"��Jf��adw@}$ƽRl�E߽gL��h�G6_�`[���a(ޅ�3VG�B�A8A�XJXDJ��Ň�^`G �K&5\�y h#8YL˃S^z1jsϙTh,ZNtVĥ+pL1S%��R0Z�YE]ɖ1xy��[/Oz'5aL7P;IU6'�a|Q�"+@*VH5iip%i1�=D_�?)fFmz^C �`5�um;�bwk�+mLtX8Ow|
evw�O�%YՉJ[��mݹ]J=!5&<15ڢ
2�b,cm7o,.WJέ��>B�Z�l3LµϯA*d�8I�uק6:F�̽OMĐofljU9JJ� �z�ʋzhNCF-� ''��+}Ւn4l_�oAʶΒb?gvp7�xo/�5!o�I{m��>9b ә��# �F;1뮒tڤJ3>нg��3B;w�^�?js~碷�T�+KL�-^a�yo+ZKɶ8+�R�)q<�>3�K���D�ut G
Ki�~RJHUTЯ7"г~ҳFܞUkx�=
<0]LaWLobD))�m2윶BwG#?di�5&��<4�ǘ"x�x�aj aF
gfٝ7�g��X�۽[!VWv�ru
YS�_�D��_�t[6}gSL+���*poB`(xC��]I٫T~�N�d�>��QhTJӑ!�>m;A=~!|LLRO����)g\�NL�_s�_�0���8 -sF@YfOG���P5�6D�:no_�Zsrپ靷u�=<��b\P_[�{�o�T��C7G>]Z���}Ə 'l�I=�R+�0wCE��1qd��!�̆\oX|J7�o8f+H�ג s),Jho~)J �ԝ��}�p�\pbܩHVdL4"&(qTiK$<��~1&IJE<
,iM�� ��YC) EEXF$%hD1fQ1a9=c3bw`/f��/u��G"��c�Z|E"�1^#&�3)-�+9�m_AG�W tQR*�("*�@���`g*o���
1C�(�^jJF�·:�%{3��Mi8q���Xg�-�.E�.[qw�6'+נ!5:0
1�YGw`C[�5E�Y|ob�L,`A~Bj�@̐0�($Ѕ:x,@#!��9ω�K+3�c
7VúޛXF #}�Aa�P8�Z
��+z+uT'I]W@)9CȮ�K�ƪZIZW6c�P��w�U2Qq9LSz%
%uW0`A i�2bg4t\K�
-C#�&a@}lFL��1�B�9^�9nIQst/Q{g%E�_gQB{{sپ\Y�1 ky/m2_T
Q�9l]28SΘksYx�9K��xu�<�/�8l��Iwk(%lFyr�WzuL�&�Bup�:/kj:ٙ%G]3G|�MPЦo&èuR��Bjs���@1@C|k{.4#z_m�;�
_C�pj+�ݜr�I;�ʏW�}Ns�OPiuY<.�r�g:9'�_z//Peu9?ρwT�"��"�>"�@�\@/r�yß��92zP9�r�)r�˜�̑K�˜��9�_?r
y�:z^N{^N���ק��ʡs�9~7P~W�{ÿ7MN779$)g�Vpv*esS^)4rR�}~
)�P9PϪ
��~2*RϜW~�y�$} k{^W�Kͮ0TntKT앆cn-:v��^_r�p崝#&J27喛O'ƴ^5_9�3�>�*
u�=�}٘o?�QǒGЬ��.Ǒrۿ剹?|�ka[,�G$q�=�Pޛ@K�n
\��8����#r]=MU�ڎwڝGfzuiePsv�dm�oCd
y^$�ٝx��|G]�-xC&n\e�f(/�@F�A��@q�0�-0�VqF`�^u=
�!�:i>cP4l�KeB�ghXc$
fZ���g8
!r�DЍ 5z$oIF#�[v�;Θ]I1́a[�C �o6eM+5VkZpwrD&0q���G�\ PdU:��.�UJ�0�XR����^9�Q(Fuoo*N0�njE�=uҐ'�a���0V�M�!���<��tlmȎ�U|�� y3s9R!:W)%@9$�L�o�� ;��j̯$v21W!+C�t Ccjd>Sk��+#�P<�,����EX8ۈq2s 2�&6���u�;ݙ)a,<�T#0?���uK6�a`2T�-�œj@@zĶ/D��~b��Y3!?crI�Txu��d⟒|e'0�P�2#zO�]v�BaIg��X��#�='�̄0QtOhr� V_$�v�5�B+*π��8>eHC�gyrT~{J}*P�=eښS;]�v"�,}d/+�4bѥO�v��HyU_O׀D.M$CbiG$]'
"#_S�a�oi�ly>ⲁ%#:}`S
h�9�3D:�9���Am'{�<-)�
Mm+#8�4#��@ܺ�lQF��6Vx�}�҂ �]@1S�x ѫ�v.9|�d@loM+fmj_0�ԕe`7gS�~*�3V���A>p8{�3`�ܐ}oI
�C_�"?�Fu:h�ϳ�A�sl2qZܷ3@ƷD0k"6���6iژDR�*�l'f
,�� ~sf�_O�Qh~0�.�r$c�<[_Eڵ묁F�t
��]
D
�h�ym�x�:< ׁ]"�b��C>bmR>�L�n2?R��@�J]�>�� �mE73T|���`GY&e`Z+v�8u
vQѲ
v�7"ְ0^q۷�ST�|@�sxS�a
\nJʶ�)E=b�\
�Ѩi�pKTVD'n����3^-�7qݼ�3Qa[O_Gn}#\��91F`=s,�ƫ
i>2��e�pClkZ��(JqU�
�XL´â�WITR6!�;ٯ�����kO`LbV@P���1,,�oԟ'T�S*�4.>ϝn<^eèy6��x�L�
-2�VjwV㛾V cSEᘸe+zi{mw>8n�~뉘h6JM?
۔̡9MR"Zj/!.zR<>էr09gv�?,,qgM.4a-d
|
Network Security & Hardware 
