Thursday, September 25, 2008

Alarm Raised For "Clickjacking" Browser Exploit

Slashdot picked up a story in ZDNet about what seems to be a treacherous new browser exploit affecting all major desktop platforms, including Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

This threat, called "Clickjacking", was to be a topic at the OWASP NYC AppSec 2008 conference but was postponed in consideration of vulnerable vendors until a professional fix is developed.

The two researchers that made the discovery - Robert Hansen and Jeremiah Grossman, have released some information to emphasize the severity of this threat. According to someone who attended the semi-restricted OWASP presentation:
"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."

See more at ZDNet.