Feeds

Adobe yanks speech exposing critical 'clickjacking' vulns

Every major browser (and Adobe) affected

  • alert
  • submit to reddit

High performance access to file storage

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.

The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.

In addition to Adobe, Grossman and Hansen have discussed the vulnerability with Microsoft and Mozilla, and security personnel from both companies "concur independently that this is a tough problem with no easy solve in sight at the moment," Hansen says here. A Microsoft spokesman said the company was investigating the report and that there are no reports of any attacks using the claimed vulnerability. Messages sent to Adobe and Mozilla representative were not returned.

Tom Brennan, chapter president of OWASP (short for the Open Web Application Security Project), expressed concern over the cancellation.

"I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat," he writes here, in announcing the cancellation. "Well, this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone."

Hansen struck a more conciliatory tone in discussing the cancellation.

"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.

Hansen and Grossman said their research breaks security measures that many websites rely on to protect visitors. While the vulnerabilities can be fixed using web-side patches, the most practical measure will be for browser makers and developers like Adobe to update their software.

"We believe for that to be pretty hard and so do they," Grossman said referring to the patching of Microsoft's Internet Explorer and Mozilla's Firefox browsers. "I think the fixes [for Adobe] are quite difficult, but only they can tell you that for sure." (We'll be sure to update our story if they do.)

In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That's not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.