Clickjacking Flaw Hits Chrome and Firefox

Though Microsoft may have gotten ahead of the browser-security curve with the first release candidate of Internet Explorer 8, which includes a feature that helps protect against clickjacking attacks, recent developments suggest that other browsers haven't quite caught up yet.

Google on Friday announced it is working on a patch to fix a clickjacking vulnerability in its Chrome browser -- specifically, versions and earlier running on Windows XP SP2. Mozilla's Firefox 3.0.5 browser has also been hit by a clickjacking attack. So far, Microsoft's IE 8 is unaffected.

Clickjacking, an emerging hacker method that is mostly indiscriminate when it comes to browsers, involves guiding an unsuspecting user to a malicious Web site, at which time an exploit deploys a mechanism that takes control of the user's browser session. The user's browser would then be in the hands of a hacker who can steal information or download malware. Part of the reason clickjacking isn't likely to go away is that the practice was only recently discovered and its nuances have yet to be fully understood. There has also been some disagreement as to whether the problem lies at the server level or on the client side with the browser itself, which sits on the operating system as an application.

Many security pros, such as ESET Director of Technical Education Randy Abrams, seem to think the problem is at the server level because a Web server or page must be compromised to allow for clickjacking. "The solution is to either ban Iframes on the Internet or attempt to deal with the problem at the browser level," Abrams said. "Firefox's NoScript add-on is touted as a defense. However, it is not 100 percent effective and actually, for the average user, it is not very comprehensible."

Another issue with protecting against clickjacking is that by keeping a workstation from running scripts, a user can increase security but disrupt browser functionality. Because of this, Abrams said even IE 8's anti-clickjacking feature will require some footwork by enterprise network administrators and Web application specialists. It may also require Web site operators to make some modifications of their own, he added.

This means that for practical purposes, the only way server-side participation would be anywhere near ubiquitous is if IE 8 blocks a site whenever it detects the server not using the clickjacking protection. This would require the user to choose to proceed into the unprotected site.

This also means that even though Redmond is ostensibly ahead in browser protection with IE 8, it also faces the most pressure to secure its market lead.

"More people use IE. Thus the potential victim pool is greater," said Mike Shema, security research engineer at Qualys. "IE 8 includes some clickjacking protection, but its usefulness is questionable. This just highlights the difficulty in creating a robust solution. Firefox, Safari and Chrome, which shares the same rendering engine as Safari, are just as susceptible to this attack. And because the attack relies on HTML rather than particular browser features, [they] are equally difficult to secure."

Given the fact that clickjacking affects multiple browsers from multiple companies, it's unlikely a comprehensive fix will emerge any time soon. Tom Ruffolo, CEO of eSecurityToGo, said that clickjacking prevention will ultimately end like most security efforts -- without 100 percent certainty and without a single, all-encompassing solution.  

"The solutions are like having a belt and suspenders," Ruffolo said. "Web server-hosting companies or the companies that own those Web sites should use great application-level firewalls as well as secure the servers. Users should take advantage of both the latest [clickjacking] prevention solutions like IE 8 and NoScript, but also use SaaS-based Web reputational checking software that evaluates links that are clicked on and whether these sites are malicious or not."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.