0 Replies Latest reply on Oct 20, 2008 9:50 AM by HarryWaldron

    Clickjacking - What is it?

      While clickjacking is not a new concept, it's gaining popularity as technique used for malicious websites. As iFrames are logical divisions of a webpage, the approach is to create a "transparent iFrame page" that lines up exactly with the real web page being accessed. The buttons in the "invisible iFrame page" replace the buttons in the real web page and allow malicious software to be loaded or security at a site to be compromised.

      The Adobe Flash facility is one of the most widely installed software products in the world, as it's used by all major browsers. Adobe Flash (v9 and lower) is vulnerable to these attacks and it's a popular method now being used to achieve clickjacking. To stay protected from this threat, users should move to Adobe Flash v10, keeping AV protection updated, keep all O/S and browsers updated, and avoid risky websites.

      Clickjacking - What is it?
      http://www.avertlabs.com/research/blog/index.php/2008/10/15/clickjacking/
      http://en.wikipedia.org/wiki/Clickjacking
      http://www.mxlogic.com/itsecurityblog/1/2008/10/What-is-ClickJacking.cfm
      http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleI d=9115818
      http://blogs.zdnet.com/security/?p=1972
      http://www.securityfocus.com/news/11534?ref=rss
      http://www.schneier.com/blog/archives/2008/10/clickjacking.html

      QUOTE: Let’s use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B.null In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B.null Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.

      This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.

      Clickjacking - Adobe recommended workarounds (move to version 10)
      http://msmvps.com/blogs/harrywaldron/archive/2008/10/16/adobe-flash-version-10-s ecurity-release-fixes-many-bugs.aspx
      http://www.adobe.com/support/security/advisories/apsa08-08.html
      http://www.adobe.com/support/security/bulletins/apsb08-18.html