By Laura
Yecies
There was a potential threat
unveiled at the OWASP AppSec 2008
conference at the end of September, and after a little internal
review we believe it worth a warning.
It’s a new kind of browser attack,
currently only known to be a proof-of-concept threat (meaning we haven’t yet
seen it in the wild). Dubbed “clickjacking,” it highlights the growing focus on
the browser as the attack vector of choice for
hackers.
According to Gregg Keizer at Computerworld, researcher Robert Hansen, founder and chief executive of SecTheory LLC, and Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. have discovered a way that hackers can trick you into doing virtually anything – reportedly without ever even compromising a Web site.
Here’s the original story:
Security researchers warn of new 'clickjacking' browser bugs
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115700
While the story doesn’t contain many specific details because the researchers are wisely working with browser and Web technology vendors to fix the flaw, it appears that hackers can set up shop in the middle of your browser and an Internet site and place hidden “click” buttons with various commands. For example, a hacker could place an invisible button over a legitimate link on a Web site, triggering a malicious download or otherwise opening up your PC to attack.
Here’s how the story describes a potential scenario:
"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls," Grossman said in an e-mail on Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."
We’re waiting to hear more, and as soon as the POC code is made public we’ll get to work testing and vetting the threat against ZoneAlarm, the Suite and ZoneAlarm ForceField. Our initial assessment is that ZoneAlarm ForceField would provide a key layer of protection, by isolating the attacker in your virtual browser and preventing malicious downloads. Additionally, your ZoneAlarm Firewall is built with a self-defense mechanism that prevents remote commands from disabling its protections.
Browser security continues to be a very high priority, and we remain committed to helping you surf safely.
Perhaps, you have something interesting to say?