U.S. CERT Weighs in on Clickjacking

By Matthew Hines  |  Posted 2008-09-28 Print this article Print

As noted in a post in this space earlier this week, security researchers have begun publicizing the emergence of a dangerous new online attack model, dubbed clickjacking.

For full details click here, but in short the attack technique allows hackers who lure users to malicious or infected URLs to take control of their browsers and force the applications to secretly click on any content the attackers so desire, creating the opportunity for aggressive new drive-by infection scenarios.

The threat model was outed by researchers Jeremiah Grossman and Robert Hansen at an Open Web Application Security Project (OWASP) meeting, but the experts held back on releasing proof-of-concept code illustrating how such an attack would work after it became clear that many of the world's most ubiquitous online technologies, including all the major browsers and electronic document formats including those made by Adobe, are still vulnerable to the assaults.

Now the U.S. Computer Emergency Response Team (CERT) has offered its warning on clickjacking, further highlighting the seriousness of the issue, which browser vendors and major site owners are scrambling to address at this very minute.

"Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a Web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks," CERT officials said in their report.

The experts also published a set of tips for end users to follow to help protect their machines from potential exploitation.

US-CERT encourages users to do the following to help mitigate the risks:

-Do not open un-trusted files or files of unknown origin.

-Install antivirus software, and keep its virus signature files up to date.

-Regularly apply software patches and updates as supplied by the vendor.

Obviously those recommendations constitute what would be considered to be some of the most basic, fundamental practices that individuals and organizations must adhere to in order to protect themselves from malware and hacking attacks.

However, the move by U.S. CERT to issue its warning so shortly after clickjacking was first introduced in the public domain says something about how dangerous they feel the current potential for related attacks may be.

Be careful out there.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel