The security researchers who two weeks ago warned of new "clickjacking" vulnerabilities in browsers, Web sites and popular plug-ins, revealed a dozen variants of the bug Tuesday.
And that's just for starters, said Robert Hansen, founder and CEO of SecTheory. "The list doesn't cover all the other kinds of plug-ins that are vulnerable, or all the browsers or all the Web sites," Hansen said in an interview Wednesday. "The list got so long so fast that it was impossible to keep track of all the sub-issues."
On Tuesday, Hansen disclosed more information about "clickjacking," the new class of vulnerabilities that he and fellow researcher Jeremiah Grossman, the chief technology officer at WhiteHat Security, first mentioned during a semi-closed presentation at a New York security conference on Sept. 24. Hansen and Grossman had originally intended to present the bulk of their findings then, but agreed to withhold most of the information at the request of Adobe, which said it would quickly patch its software against clickjacking attack.
Early Tuesday, however, Israeli researcher Guy Aharonovsky posted a proof-of-concept demonstration that uses clickjacking tactics to invisibly reset Adobe System Inc.'s Flash privacy settings, and secretly turn on the computer's webcam and microphone for remote spying.
With the cat out of the bag, Adobe gave Hansen and Grossman the go-ahead to get specific about their findings. Hansen then posted a list of 12 different clickjacking scenarios on his blog.
"There are multiple variants of clickjacking," Hansen said in the post. "Some require cross domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't."
Of the dozen he spelled out, only two have been resolved. Adobe has not, for example, patched Flash against one of the clickjacking vulnerabilities Hansen and Grossman reported to the company. Adobe issued a security advisory Tuesday, however, with instructions on how to secure Flash against webcam and microphone hijacking in lieu of a patch.
"[Aharonovsky's] proof-of-concept was just a demonstration, but clickjacking can do all kinds of things," Hansen said Wednesday. "If you think about the traditional Web applications that have a 'Confirm' button or an 'Add a friend' button or any kind of single-button click, they're all going to be more vulnerable now."
But he also said there's no reason to panic; clickjacking wouldn't make the Internet a much more dangerous place in the short term. "If we assume that the majority of Web applications are vulnerable to some exploit, and they are, then clickjacking is making things worse, but it's already so bad that it doesn't really matter," Hansen said.
"We made it very clear that we didn't feel that this was the end of the Earth," he continued. "However, that doesn't lessen the ultimate severity of problems like monitoring people remotely with webcams or getting people to transfer money from their bank accounts."
Read up on the latest ideas and technologies from companies that sell hardware, software and services. The state of Middleware
Look before you leap | Key considerations for moving to 802.11n
Controlling storage costs with Oracle database 11g
Making the Business Case for IT Consolidation
How to improve employee productivity in small and medium businesses
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
The Case for an Untethered Enterprise
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
AARNet Helps to Advance Indigenous Health 2008-12-02 12:44:00+11
Orbis selects Telstra International as its data centre partner for the UK, Europe and Middle East Region 2008-12-02 11:23:00+11
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
Mornington Peninsula Shire implements Objective to manage knowledge and deliver service excellence 2008-12-02 09:56:00+11
Virtual magic: HR specialist throws out 40 servers, adds 8TB SAN and saves $100,000 for disaster recovery 2008-12-01 15:28:00+11
Delivering the Power of Choice with Microsoft Dynamics CRM
Join Ed Thompson, Research VP, featured analyst firm, Gartner, Inc., and Brad Wilson, General Manager CRM Microsoft Dynamics, for a new webcast, Delivering the Power of Choice with Microsoft Dynamics CRM, available now. Our panel will break down the best practices for getting the most out of CRM and you'll learn key recommendations you can implement in your organization. Additionally, you'll also hear Microsoft's vision for CRM.
Buying Guides
Latest Products
