Feeds

Adobe yanks speech exposing critical 'clickjacking' vulns

Every major browser (and Adobe) affected

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.

Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.

The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.

The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.

In addition to Adobe, Grossman and Hansen have discussed the vulnerability with Microsoft and Mozilla, and security personnel from both companies "concur independently that this is a tough problem with no easy solve in sight at the moment," Hansen says here. A Microsoft spokesman said the company was investigating the report and that there are no reports of any attacks using the claimed vulnerability. Messages sent to Adobe and Mozilla representative were not returned.

Tom Brennan, chapter president of OWASP (short for the Open Web Application Security Project), expressed concern over the cancellation.

"I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat," he writes here, in announcing the cancellation. "Well, this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone."

Hansen struck a more conciliatory tone in discussing the cancellation.

"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.

Hansen and Grossman said their research breaks security measures that many websites rely on to protect visitors. While the vulnerabilities can be fixed using web-side patches, the most practical measure will be for browser makers and developers like Adobe to update their software.

"We believe for that to be pretty hard and so do they," Grossman said referring to the patching of Microsoft's Internet Explorer and Mozilla's Firefox browsers. "I think the fixes [for Adobe] are quite difficult, but only they can tell you that for sure." (We'll be sure to update our story if they do.)

In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That's not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.