CYBERSPACE — “Trust no one” may be too paranoid to be a workable life credo, but it certainly comes close to being a reasonable philosophy for Web use. Since July, no fewer than four core vulnerabilities that threaten the very existence of the internet have been discovered. Three of them, including the most recently revealed, require significantly more than a simple patch job. In fact, researchers are unsure whether the issues can be resolved at all without a major reworking of some of the internet’s basic structures.In early October, researchers identified a new type of “clickjacking” vulnerability in Adobe’s Flash technology — and consequently in every major Web browser (including Google’s new Chrome and Apple’s tough-as-nails Safari). The vulnerability allows bad guys to lure surfers to malware-bearing Web pages where they can engage in all sorts of nasty behaviors, including information theft and hijacking users’ webcams and microphones.
“It is a very serious problem,” Giorgio Maone told NewsFactor. Maone is the author of a Firefox add-on called NoScript that prohibits hidden scripts from running in Firefox. “Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully. There’s no estimate to the number of trap sites and it’s unlikely that we will see any credible report about the number of sites using this technique, because there are literally infinite ways to implement such an attack, therefore no signature-based scanning can detect it automatically.”
Although Adobe released a security advisory October 7th, the company has yet to design a fix other than advising users to disable Flash access to their cameras and microphones. Adobe security personnel said they hope to have a patch available by the end of October.
Clickjacking isn’t just Adobe’s problem, though. According to several researchers, there are any number of ways to implement a clickjacking attack, and not all of them require Flash.
“There are multiple variants of clickjacking,” SecTheory Chief Executive Officer Robert Hansen wrote in a lengthy blog posting. Hansen and WhiteHat Security Chief Technology Officer Jeremiah Grossman were credited with unmasking the clickjacking threat. “Some of it requires cross-domain access, some doesn’t. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to preload data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them.”
The clickjacking threat will be difficult to overcome, Hansen noted, because it arises not simply from a lack of coding foresight on the part of one or two developers, but from the way the Web’s underlying code works.
Maone agreed. “This problem comes from features which are integral to the modern Web as we know it, and especially from the ability of Web pages to embed arbitrary content from different sites, or to host little applications through plug-ins like Adobe Flash, Java or Microsoft Silverlight,” he told NewsFactor.
As with the other major threats to the internet’s core, the real solution lies not in application developers’ rapid response to potential threats, but in encouraging Web standards bodies to update and upgrade the underlying infrastructure.
