Smokey's Security Weblog

veritas odium parit

Disclosure of Major New Web ‘Clickjacking’ 0-Day Threat Gets Defer

Details of a new major Web attack that could potentially affect millions of users won’t see the light of day next week as planned after the researchers who discovered it agreed to hold off on disclosing their find until Adobe comes up with a patch for its product.

Renowned Web security researchers Robert “RSnake” Hansen and Jeremiah Grossman late yesterday pulled their presentation “New 0-Day Browser Exploits: Clickjacking – yea, this is bad” from the upcoming OWASP USA security conference in New York, after Adobe requested that the researchers give them time to come up with a patch for one of its applications before they release their proof-of-concept code.

The pair planned to disclose flaws in the architecture of all of today’s web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he’s clicking on a link that leads to Google – when in fact it takes him to a money transfer page, a banner add that’s part of a click-fraud scheme, or any other destination the attacker chooses.

Hansen and Grossman just days ago found that a vulnerability that can be used for so-called “clickjacking” attacks wasn’t in Adobe’s application, but in various browsers, including Microsoft’s and Mozilla’s, and affects Adobe’s application. It can even evade browser security features. While they can’t give details of the specific vulnerabilities at this time, they say this new clickjacking attack — where a bad guy lures a victim to click onto a link — could leverage other Web attacks like cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF), to attack a wider range of users.

The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.

In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That’s not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal.

Sources:

Dark Reading
The Register

Advertisements

September 20, 2008 - Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: