Microsoft Goes After Clickjacking in IE8
Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks.
For those who don't recall, clickjacking is a relatively new technique -- first detailed in mid-2008 by researchers Jeremiah Grossman and Robert Hansen, among others -- which involves using widely-available vulnerabilities to take control of an end user's browser.
The idea is that simply by tricking a visitor into arriving at an infected URL, an attacker can manipulate the affected end users' browser session to get them to do just about anything the hackers desires, such as downloading malware, and at the time it was first reported publicly, there were clickjacking vulnerabilities available in just about every major browser, including IE7.
Now, to carry out these kinds of campaigns, obviously the involved attackers need to both subvert Web sites (the more legitimate the better) and have the browser vulnerabilities available that allow them to deliver their code.
While offering few technical details of its methods for stopping clickjacking, Microsoft appears to have not only tried to address the browser-based issues, but also sought out the help of Web site owners to make IE8 less vulnerable to the attacks.
"We've worked closely with people in the security community to enable consumer-ready clickjacking protection. Sites can now protect themselves and their users from clickjacking attacks 'out of the box,' without impacting compatibility or requiring browser add-ons," the company said.
Microsoft said that it also augmented some of its InPrivate features which allow IE users to delete or shield their browsing habits from others who might be using their computers, though it did not offer functional details of that update either.
Now, it will remain to be seen whether or not the features offered in the IE8 RC browser have an effect in preventing clickjacking attacks, but you have to give the guys in Redmond credit. While there will certainly still likely be plenty of vulnerabilities in the browser, as in all browsers, Microsoft has gone from being almost laissez faire when it comes to addressing emerging threats just several years ago, to now, where they are attempting to get out in front of newer attacks.
Love IE or leave it, you have to give them credit for continuing to step up their game.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.