Adobe yanks speech exposing critical 'clickjacking' vulns
Every major browser (and Adobe) affected
In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web.
Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.
The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.
The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.
In addition to Adobe, Grossman and Hansen have discussed the vulnerability with Microsoft and Mozilla, and security personnel from both companies "concur independently that this is a tough problem with no easy solve in sight at the moment," Hansen says here. A Microsoft spokesman said the company was investigating the report and that there are no reports of any attacks using the claimed vulnerability. Messages sent to Adobe and Mozilla representative were not returned.
Tom Brennan, chapter president of OWASP (short for the Open Web Application Security Project), expressed concern over the cancellation.
"I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat," he writes here, in announcing the cancellation. "Well, this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone."
Hansen struck a more conciliatory tone in discussing the cancellation.
"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.
Hansen and Grossman said their research breaks security measures that many websites rely on to protect visitors. While the vulnerabilities can be fixed using web-side patches, the most practical measure will be for browser makers and developers like Adobe to update their software.
"We believe for that to be pretty hard and so do they," Grossman said referring to the patching of Microsoft's Internet Explorer and Mozilla's Firefox browsers. "I think the fixes [for Adobe] are quite difficult, but only they can tell you that for sure." (We'll be sure to update our story if they do.)
In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That's not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal. ®