All browsers are vulnerable to clickjacking

Stuart johnston By Stuart J. Johnston

The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.

What’s worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you’re clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!



By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple’s Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

The problem doesn’t stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe’s Flash player and Microsoft’s Silverlight streaming-media plug-in.

“If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security,” Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.

Disguised links lurk behind clickable buttons

In clickjacking, surreptitious buttons are “floated” behind the actual buttons that you see on a Web site. When you click the button, you’re not triggering the function that you expected. Instead, the click is routed to the bad guy’s substitute link.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.

They point out that even users who watch their systems like a hawk can be victimized.

“There’s really no way to know if what you’re looking at is real,” Hansen told Windows Secrets.

In fact, Hansen and Grossman found so many new ways to attack your PC — and your Mac — that they categorize these threats as a “new class” of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.

Clickjacking isn’t new. In fact, it dates back to at least 2002, Hansen said. What’s new is the range of browser vulnerabilities that make clickjacking possible.

Hansen’s blog posting describes the scope most clearly:

“There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them.”

This doesn’t mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites.

Disabling JavaScript has serious drawbacks, because so much of the Web’s interactivity is driven by JavaScript apps.

“[Disabling JavaScript] totally cripples the Web experience,” Skoudis said.

In addition, Hansen states, even browsing with JavaScript disabled will not protect against all possible avenues of attack.

“Most browsers are going to be vulnerable,” Hansen told Windows Secrets. Even the new version 8 of Internet Explorer, currently in beta, is susceptible — though Hansen said he expects Microsoft’s upcoming browser to be patched by the time it’s released later this year.

Flash apps may activate webcams and mics

Besides browsers, the bad guys can also exploit Web programs such as Adobe’s Flash player.

For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC’s webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop’s built-in camera and mic.

Clickjacking vulnerabilities don’t stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.

Hansen says that disabling browser plug-ins and scripting will help but is no panacea, given the threat’s complexity.

In fact, in the three weeks since Hansen and Grossman first revealed the discovery of the clickjacking vulnerabilities, Hansen says he’s received about half a dozen examples of proof-of-concept code and knows of several more — not counting the half dozen or so that he and Grossman have already found.

To date, there have been no attacks in the wild, although with proof-of-concept code already out, it’s just a matter of time.

Can you stay safe in a clickjacking world?

Browser and plug-in vendors have joined watchdog organizations in describing what you can do to stay safe.
  • Adobe: The Flash vendor has issued a patched version that will help keep you safe from Flash-based attacks. See the company’s download page. Previously, the company had posted a security advisory containing a workaround.

  • Mozilla Foundation: Install Giorgio Maone’s open-source NoScript plug-in to block execution of JavaScript except for sites you approve. NoScript is free, though the vendor requests a donation. The add-on lets Firefox users designate the sites on which scripts are allowed to run and blocks JavaScript on all other sites.

  • Microsoft: To date, the company has taken a noncommittal stance in regard to the clickjacking threat. Microsoft responds to questions by referring users to the company’s Security Support page.

  • U.S. Computer Emergency Readiness Team (US-CERT): The agency provides a document that describes how to protect IE, Firefox, Safari, and other browsers from a range of attacks.
Even taking all of the above precautions doesn’t guarantee that your system is 100% immune to the new threat. You’ll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.

While we’re all waiting for vendors to patch their products, Alfred Huger, vice president of software development for Symantec Security Response, has some down-to-earth advice. Since most malware attacks occur on adult sites, keep your browsing rated PG-13.

“You’re most likely to see [attacks] on porn sites or on sites that offer game-cracking software,” Huger adds.

When in doubt, ask yourself whether your mom would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

Despite the seriousness of this latest round of security threats, SANS Institute’s Skoudis says he is optimistic. While the threat of attack may be high for the next three to six months, Skoudis expects more complete protections to become available as early as next spring and no later than next fall.

“This is a very serious finding, but this is not going to be the end of the Web,” Skoudis adds.

Stuart Johnston is associate editor of WindowsSecrets.com. He has written about technology for InfoWorld, Computerworld, InformationWeek, and InternetNews.com.