September 29, 2008

Clickjacking -- the new browser wipe-out

News is circulating about Clickjacking, an undisclosed vulnerability that effects all browsers (with the exception of Lynx, which you don't use :) . Apparently although exploit code is somewhat hard, it is an impressive result. Your browser is owned, once again.

Hattip to BigMac, who might be the last person on the planet using Lynx. There appears to be limited options right now:

From my side, I wonder whether another possibility is to close all tabs, restart the browser, do your sensitive work, then shut it all down again.

OK, that's just idle speculation on my part, but it is worth thinking about. A large component of the current breaches are a result of the browser being a general purpose tool with not only cross-admin-border protocols, but also parallel applications in play. Not generally a good idea in security thinking, and it means that the browser can only ever work in medium security modes.

Also, I have another open question: should NoScript become standard recommendations for Mon'N'Pop ?

Posted by iang at September 29, 2008 10:21 AM | TrackBack

Actually, I use elinks every now and then, really ;)

Posted by: BigMac at September 29, 2008 10:52 AM

After having been involved in trouble shooting a network integrity problem in the 70s related to automatic scripting ... i've always run with no scripting, no plug-ins, no cookies, no automatic application.

I've found only a few sites that figure they absolutely need it ... so i have two browsers instances with different personalities open at the same time in different workspaces. The 2nd personality has noscript plug-in configured.

This is basically a form of the virtualization theme ... keeping things strongly isolated/partitioned. For the really paranoid there is process that automagically creates a whole virtual machine (from scratch) for browser session ... and then the whole thing is scrubbed/discarded.

This is also related to the theme about virtualization being used eliminating the current traditional desktop operating systems and replacing it with a virtual machine layer with multiple "virtual appliances" ... basically drastically simplified monitors for specific environments (increasing security since it eliminates a lot of the complexity that contributes to vulnerabilities).

this was somewhat the cp67 & cms implementation from the 60s.

40+ yrs virtualization experience, online at home since Mar70

Posted by: Lynn Wheeler at September 29, 2008 11:05 AM

I have been raring to nominate noScript but I want more usability improvements.

1. I want someway to subscribe to whitelist - so that the admin or someone trusted could whitelist items easily

2. I want noScript to allow trivial JS, like allow JS to resize CSS boxes etc. , disallow ALL that is even a little advanced. I don't know whether this is even possible in JScript .

And in general make it less cryptic for mom and pop.

Posted by: anonymous at September 29, 2008 02:47 PM

Whilst "install NoScript" sounds like a great idea short term, what happens when attention is given to NoScript and - like most products given sufficient attention - NoScript is found wanting? We need to bear in mind that people don't take lightly to "do this" and then a month later they're told to stop doing just what they've been told and change once again.

I subscribe to Lynn's view of thinking. I, too, have two different browsers, Firefox and Opera: first for normal browsing, second for banking, purchases, etc.

Posted by: Saso at September 30, 2008 12:17 AM

Since the exploit is said not to require Javascript, it may well be based on CSS (say, hiding a malicious link or form under something innocuous and relying on the event cascade to deliver clicks to it). If the exploit truly doesn't need Javascript then NoScript will only protect you to the extent that it inconveniences the bad guy a little.

Posted by: Mark Seecof at October 1, 2008 06:41 PM

the mom&pop noscript shouldn't have a 'allow scripts Globally' function. Neither should an (the same?) enterprise version of the software. Looking at the rate of features of the noscript plugin I'm wondering if I'll ever understand what its really doing. I still use it though.

Posted by: dan at October 7, 2008 08:16 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.