"Clickjacking" Browser Exploit

SinisterSam, Wilders members were all over this subject back on August 19th: Adobe Flash ads launching clipboard hijack attack

As Giorgio Maone pointed out and confirmed by Wilders members back then, NoScript in FF defeats clickjacking. However, it's great to read that 100% protection is achieved by checking the Forbid <IFRAME> option and it's something that everyone should do right away, if running FF with NoScript.

 

The reason why I mentioned the former discussion is that halfway down the page on http://blogs.zdnet.com/security/?p=1972 it says: [SEE: Adobe Flash ads launching clipboard hijack attack] and the link takes you to the same article that was discussed on August 19th by Wilders members.

The above ZDNet article also references an Adobe PSRIT advisory talking about "The presentation centered around an issue that affects multiple browsers and websites, and, as it turns out, one of our products."

The exploit requires Dynamic HTML (DHTML) and besides JavaScript, Flash is commonly used to build interactive Web sites. This sentence in the above ZDNet article "Each click by the user equals a clickjacking click so something like a flash game is perfect bait." leads me to believe that they/we are talking about the same thing via a Flash conduit.

 

Take a look at this article: Not Clickjacking (Almost Certainly). If you can see the IFRAME (below the main text) which injects a page from planb-security.net, your Privoxy is not blocking IFRAMEs. Try it and report back.

With Firefox 3.0.3 and NoScript 1.8.1.3, I have to allow breakingpointsystem.com and disable the Forbid <IFRAME> Option, in order to see the redirect and that's why NoScript protects against this browser exploit.

 

Here's the rub. If I open Internet Explorer, select Tools > Internet Options > click the Security tab > choose the desired zone (Internet, Local intranet, Trusted sites, or Restricted Sites) and click Custom Level > scroll down to Launching programs and files in an IFRAME > select Disable to prevent iframes altogether, and repeat the same for each of the desired security zones, then click OK, my IE6 still shows the IFRAME in the article I posted!

EDIT: The article's Web site placed in the Restricted Zone in IE6 does not show the IFRAME but the IFrame does show in Internet & Trusted zones with IFrames disabled.

Can other Wilders members who have IE6, IE7 and IE8, try the same procedure as described above, then navigate to the link I posted and report back their results?

If FF and Opera defeat the exploit but IE does not, that's further proof to stay away from IE, unless absolutely necessary!

 

Rmus, thank you. So, even if IFRAMES is disabled in both Internet & Trusted zones, it still allows the exploit to go through. That seems to be the problem with at least IE6. Hope someone else can test in IE7 and IE8.

 

Magnus, I agree with you that this is much ado about nothing at the moment and that no Webmaster should ever be caught using any type of Frames in their designs, however, in my limited test with IE6, disabling IFRAMES (as I explained in Post #10) does not stop an IFRAME from showing, unless the site is placed in the Restricted Zone.

I have read about IE7 having a Developer Toolbar that can be tweaked like NoScript, but because no one else has tested the link I posted to that benign Web site, I have to assume that IE is wide open to this "potential" exploit.

Since I use Firefox with NS, that exploit will never be a problem for me and one Opera user said it wasn't an issue for them either. Yet IE remains a question mark - like always? If you have IE7 or IE8, can you test and post back?

 

Magnus, amen to that! Unfortunately, the latest market share stats of IE users is 71% (Chrome snatches share from IE) so a lot of people are going to be susceptible to this exploit, if it ever explodes. Thanks for your thoughts.

 

tlu, thank you for the link. This paragraph confirmed my suspicions about IE! Looks like Safari & Chrome are in the same boat.

Firefox with NS, and Opera are the browsers of choice to combat this exploit.

 

Fly, according to the article link that tlu provided, IE fails. Why don't you block IFRAMES and try the link on my post #7.

As I stated before: if you can see the IFRAME (below the main text) which injects a page from planb-security.net, your IE7 is not blocking IFRAMEs.