Feeds

Adobe yanks speech exposing critical 'clickjacking' vulns

Every major browser (and Adobe) affected

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.

The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.

In addition to Adobe, Grossman and Hansen have discussed the vulnerability with Microsoft and Mozilla, and security personnel from both companies "concur independently that this is a tough problem with no easy solve in sight at the moment," Hansen says here. A Microsoft spokesman said the company was investigating the report and that there are no reports of any attacks using the claimed vulnerability. Messages sent to Adobe and Mozilla representative were not returned.

Tom Brennan, chapter president of OWASP (short for the Open Web Application Security Project), expressed concern over the cancellation.

"I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat," he writes here, in announcing the cancellation. "Well, this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone."

Hansen struck a more conciliatory tone in discussing the cancellation.

"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.

Hansen and Grossman said their research breaks security measures that many websites rely on to protect visitors. While the vulnerabilities can be fixed using web-side patches, the most practical measure will be for browser makers and developers like Adobe to update their software.

"We believe for that to be pretty hard and so do they," Grossman said referring to the patching of Microsoft's Internet Explorer and Mozilla's Firefox browsers. "I think the fixes [for Adobe] are quite difficult, but only they can tell you that for sure." (We'll be sure to update our story if they do.)

In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That's not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.