ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Firefox + NoScript vs Clickjacking

By | September 25, 2008, 2:59pm PDT

Summary: In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in: Hi Ryan, I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue]. I had access to detailed information [...]

Firefox + NoScript vs ClickjackingIn response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It’s really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.

Cheers,
Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Mozilla Firefox, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

44
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Firefox + NoScript vs Clickjacking
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
"near impossible to fix properly"
LBiege Updated - 25th Sep 2008
That sounds very promising to those who want to build online apps on top of HTML.

NOT.
0 Votes
+ -
One day, the browser will be your desktop............................ nt
T1Oracle 25th Sep 2008
nt
0 Votes
+ -
reminds me of ...
LBiege 25th Sep 2008
the annual "this is our year" talking.
0 Votes
+ -
One day people will realize that's a dream, not a reality (nt)
CobraA1 25th Sep 2008
nt = no text
0 Votes
+ -
Yes, the Windows 2000 days...
phatkat 26th Sep 2008
I remember the brohaha of monopoly that Microsoft was making the Internet Explorer browser part of your desktop in Windows 200. Imagine the true nightmare this will have on the OS when someone take full advantage of this vulnerability.
Monopolies and putting everything in one basket are bad and this are the proof of this.
0 Votes
+ -
RE: Firefox NoScript vs Clickjacking
BrettGlass 25th Sep 2008
If the ???noscript??? plugin might help prevent some exploits, what about the script-defeating mechanism in WebWasher Classic (a free program available at several download sites on the Web)? WebWasher inserts itself as a transparent proxy between your browser and the Net, and so would potentially work for ALL browsers, not just FireFox. It might well be the only fix for IE for awhile.
0 Votes
+ -
Q: "For 100% protection by NoScript,..."
rileinc Updated - 25th Sep 2008
Does 100% refer to complete immunity against clickjacking attacks or general threats?

Btw, a side note here. US-CERT's (old) advices seem to apply:
The following link takes you to Safari section, scroll up a bit to see advices on configuring NoScript.
http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Safari
0 Votes
+ -
100% means...
Giorgio Maone 25th Sep 2008
100% protected against clickjacking from an untrusted page.
Of course I'd never say NoScript can protect you 100% from anything, but regarding web-based exploits pulled by untrusted (unknown) sites it goes pretty near.
Back to clickjacking, against the remote event of a full-fledged clickjacking attack mounted from a trusted (whitelisted) page, you need to check also "Apply these restrictions to trusted sites as well", more details here: http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=52374&messageID=987412&start=0
0 Votes
+ -
From what I can tell
CobraA1 25th Sep 2008
From what I can tell, this pretty much means that:

-Being able to pull information from other domains should probably not be done by the client. Wanna display some ads? Pull them in server side.

-More work should be done to stop cross site scripting. When the user moves to a new domain, everything from the old domain should be thrown out, no questions asked. In addition, JavaScript created in one domain should be forbidden to have any effect on pages from other domains.

-Java's and Flash's ability to break out of the frame, especially without user permission, should be forbidden.

-IE8 and Google Chrome are splitting separate tabs into separate processes. Chrome is taking it a step further to create a new process and destroy the old one when you surf to a new domain. IMHO, that behavior is the future. Now that websites are acting like applications, they're going to be treated like applications. I expect further isolation to continue.

-Hate to say it, but frames and iFrames are not the future. I expect they'll be phased out. Neither of them were ever very secure anyways.
0 Votes
+ -
Good Post(nt)
Real World 26th Sep 2008
happy
0 Votes
+ -
Never liked frames anyway
djchandler 26th Sep 2008
And good post, CobraA1.
0 Votes
+ -
iFrames are from the devil anyway
Chad_z 26th Sep 2008
I never did like iFrames but not as bad as I dislike ActiveX. If you're an Ubuntu user there have been Firefox critical updates coming fast and furious the last couple days.
0 Votes
+ -
Firefox updates
fatman65535 Updated - 26th Sep 2008
I am a windoze user, and I have updated to 3.0.2.

I wholeheartedly agree about Active-X.
0 Votes
+ -
As of Sept. 26th - FireFox 3.0.3 is the latest version
Peopleunit 27th Sep 2008
As of Sept. 26th - FireFox 3.0.3 is the latest version, be sure to check for updates frequently. happy
0 Votes
+ -
RE: Firefox NoScript vs Clickjacking
vilppuu@... 26th Sep 2008
this kind of bothers me because I suspect that the
"invisible layer" can be put there without Js at all - just use
css and set it up, put it all in white against a white
background and no one can "see" anything unless they the
page view source. simple and malicious.
this seems like a reversal of the technique of stealing images from one site for use on another one by listing the
url of the stolen image instead of a local image.
if css and Js goes out the window.... what's that new thing
called????? umm oh yeah Web 2.0 might not be so keen
after all.
0 Votes
+ -
Active content
w_c_mead 26th Sep 2008
Hasn't it become crystal clear that all "Active Content" is a gaping security hole that hackers love to exploit?

I think there needs to be a concerted effort to standardize and reduce the size of the active content sandbox. Or else eliminate active content completely?
0 Votes
+ -
Thanks for the post
djchandler 26th Sep 2008
And thanks for NoScript, Giorgio.

But I still think I'll get in my sandbox just to be safer.
0 Votes
+ -
I love NoScript
Qix77 26th Sep 2008
I've been using it for... wow.. I don't know how long. Been a year or so I think. Anyways, it has really protected me from a lot of crap in the cloud.

Nevertheless, using the no-frame option will be a hassle... wise, but still.

I will never ever understand why anyone could be such a low-life to create virus, vondue, smitfraud, etc... and now clickjacking. It's cyber-terrorism...
0 Votes
+ -
Why not RemoveAdmin?
JCitizen Updated - 26th Sep 2008
We've been in communication with the author of this seemingly handy utility, over at TechRepublic, and it seems very straight-forward:

Remove administrative priveleges from Interet Explorer. He claims this trumps iFrame, Java, active X exploits; think it's possible?

I haven't tried it yet but I'm going to.
0 Votes
+ -
Ditto
thx-1138_@... 26th Sep 2008
...but as well as that - and just to err on the side of caution (because let's face it, when it really gets down to it, i *flat* don't trust a soul on the BBI), i'm going to forbid the iFrames option as well.

Call me old fashioned, but the only web pages i ever liked were plain, zero-active content, HTML pages.

Anyways, hopefully the two counter-measures combined will go a long ways toward nullifying the latest wave of exploits (i.e. the likes of clickjack).

Sincerely.

(n.b. BBI = big, bad internet)
0 Votes
+ -
Mostly agree
notsofast 27th Sep 2008
I can't say I dislike all active content, but I could live without most of it. I still hate flash, though I've finally installed it on Firefox (with an addon that blocks all flash by default).


Time for me to call my parents and get them to install noscript.
0 Votes
+ -
I'm also an old-fashioned man, too, and I like static content.
Grayson Peddie 3rd Oct 2008
.
0 Votes
+ -
Me too, but my customers refuse to do without...
JCitizen 9th Oct 2008
network functionality; so I have to brave the minefields. It has been interesting to fight the malware on my lab honey pot though!
0 Votes
+ -
RE: Firefox NoScript vs Clickjacking
TRIMTI 26th Sep 2008
Can somebody give me a reality check here? How serious is this? I live in Kansas and several times a year the tornado sirens go off and we gather our valuables and head to the basement. I turn on the tv and/or radio, light a few candles in case the power goes off and wait for the ok to go back upstairs.

I've lived here my entire life and I've never seen a tornado. I'm 46 years old. I've been "surfing" the net since the early 90's and I've never had a virus on any computer I've ever owned be it Mac or Windows based.

I guess if I wanted to see a tornado I could hang out with some storm chasers or if I wanted to get "clickjacked" I guess I should visit porn sites. Am I way off base here?
0 Votes
+ -
Check
seanferd 27th Sep 2008
Most malware is now served by legitimate websites that have been hijacked. With clickjacking, it would seem that seving the exploit on a hijacked legitimate "normal" website would be the best way for criminals to reach the largest number of potential clicks. I say "normal" in this case to refer to mainstream sites, not porn or warez sites, or other darker corners of the internet.

So, I suppose, look out, especially if this exploit turns up "in the wild". That is, if it is actually being used by criminals on the internet.

Your mileage may vary, but I, like you, have had very little experience with my machine becoming infected. The infections I have had to deal with, on a variety of computers used by different people, have never come from an obviously bad site, or a porn site or something similar.
0 Votes
+ -
Seanferd's right..
JCitizen 9th Oct 2008
and you don't even have to click on anything, sometimes. A buddy of mine was hammered by an ad displaying on a legitimate website.

I got hammered by just clicking a link on Google, the webpage didn't even have a chance to load completely. That is what I get for ignoring Site Advisor's question mark! Fortunately my in-depth defense saved me.
0 Votes
+ -
A big threat?
kiapiz Updated - 27th Sep 2008
In my view Clickjacking is just another creative Social Engineering technique. Well done for the creativity. In the last 5 years there were a few other creative techniques like opening the Yes/No dialog with Yes/Yes options.

It is by far not as serious as the recent DNS vuln. that was really scary. To have a real impact with a real damage clickjacking will need to work very hard to get something. Positioning two frames in an exact location can be change by resolution of screen and many other parameters.

There is a weakness in the UI of browsers - its still not that bed as others claim
0 Votes
+ -
We still don't have enough detail.
kraterz 28th Sep 2008
Till today this looks like fear mongering. We still don't have enough detail about this alleged hack.
0 Votes
+ -
All you need to know.
mikefarinha 8th Oct 2008
All you need to know is that, indeed, it is really freaking scary!!!!

Head for the hills!
0 Votes
+ -
More details here
Giorgio Maone 29th Sep 2008
http://hackademix.net/2008/09/27/clickjacking-and-noscript/
0 Votes
+ -
Good link....
JCitizen 9th Oct 2008
I really wonder if anyone really knows if Silverlight has any know vulnerabilities yet, as the article claims?
0 Votes
+ -
Clickjacking
RayG314 2nd Oct 2008
Would something like SandboxIE provide something of a short-term solution, that is until the browser vendors came up with a solution?

And by some accounts, doesn't clickjacking depend on the naivety/complicity of the end-user? So would even more user warning/information be of value?
0 Votes
+ -
Hmm...does it work now?
kcredden2 8th Oct 2008
I just went to the demo site, and under FF 3.03 it didn't work. However, under IE 6.0 Avast gave me a virus alert:

Other:Malware-gen
Virus/Worm
081008-0, 10/08/2008

I have
Noscript, Adblock Filterset.G Updater 0.3.1.3
Adblock Plus .7.5.5
Adblock plus filter uploader 1.5+
adblock plus: element hiding helper 1.05
Noscript 1.8.2.1

all installed on Firefox. I wonder then, will this work to stop this? Please send this to whomever it'll help out.

- Kc
0 Votes
+ -
I did that too with no problems...
JCitizen Updated - 9th Oct 2008
but I didn't have all your Adblock filter sets, I need the element hiding helper 1.05(Thankyou very much!) I don't even use Noscript nor disable Java. The vector didn't work, nothing happend on my side.

I have:

CheckPoint Safe@Office 500W w/version 7 firmware gateway/firewall

Comodo Firewall Pro, with Defense + activated

SpywareBlaster - with autoupdate configured to update even when I'm a restricted user.

Spybot Search & Destroy with Tea Timer and Immunizer activated

AdAware with AdWatch activated

NOD32, in case none of those work

Site Advisor keeps me out of trouble sometimes but of course we know legitimate sites are being hit too. All this on an XP Pro system with SP3 plus hotfixes.
0 Votes
+ -
Latest version of NoScript supports "clearclick" protection
D. W. Bierbaum Updated - 8th Oct 2008
Latest version of NoScript claims to have full clickjacking prevention on versions of the gecko engine back to 1.8.1
0 Votes
+ -
How does this affect "Cloud Computing" and such???
pfyearwood 8th Oct 2008
There has been much written about subscription software and cloud computing in the past year. We are being bombarded by claims that the only app you would need on a computer is a web browser. We would store our files in a cloud and use online apps like those being offered by Google. Would not an increased reliance on web-based features open up the end-user's computer to even more threats? How secure would be The Cloud? How easy would it be to clickjack a user's Cloud account?

This threat shows the need to reduce dependency on the Internet, not increase it. More services are being offered online. Google Apps comes to mind. gOS Linux makes it easier to use them and that extends the risks. Linux and MAC are become just as dangerous as Windows due to browser dangers. Clickjacking is just the latest. They will grow as the push to more online features and applications grow.

It is trite but true. The only secure computer is one that is isolated from the Internet. Reduce exposure. Shut off the modem. Do you really need to be online 24/7?

Paul
0 Votes
+ -
Do you really need to be online 24/7?
Me_too 8th Oct 2008
Do you really need to be online 24/7?

No!

But I can't just 'shut off the modem'. Other people use the iNet here.

So I have a switch on the RJ45 cable.

And I tell the wireless users to turn off the wireless switch. Those who don't have the switch I tell then to use the STOP all traffic in the firewall.
0 Votes
+ -
Online 24/7 - No!
jr6408 8th Oct 2008
24/7 unattended, and sometimes attended, is hacker play time. Int the past I have disconnected the cable from the back of the computer or the router, I'm too cheap to buy a switch.

Firewall stoppers are a good idea, I use Trend Micro and they have a 'disconnect from internet' feature. Maybe there are others that have a similar feature.

jr6408
0 Votes
+ -
RE: Firefox NoScript vs Clickjacking
Crogon 8th Oct 2008
For reals??? The maker of NoScript published this info weeks ago. Check out my blog here:

http://crogon.blogspot.com
0 Votes
+ -
RE: Firefox NoScript vs Clickjacking
bruceslog 12th Oct 2008
I wish I had counted how many times (in the last few years) have I read about a new exploit, and been told that, for now, the best defense is to use Firefox with add on 'xyz' to protect my computer and all... ?

Makes me wonder why anyone is NOT using Firefox with it's numerous defensive add on's to begin with.
0 Votes
+ -
On the NoScript plugin
gene_fitz@... 30th Oct 2008
I have been using NoScript on mozilla since I first started using it, and it has been very good about updating regularly. It allows me to see what scripts are on the page, and lets me choose whether to accept the script, or whether to block certain scropts or even all scripts.
It can be a pain with new sites, telling the browser what to accept and what not to, but overall, it has blocked just about every clickjacking attempt, every window fade, and every pop-up from the sites that I visit often, and rarely.
There is no such thing as a "fullproof" system, because as soon as a block is built, someone else comes up with a way to bypass it, but for the most, it does it's job.
On another note, often, probably at least once a week, NoScript updates itself, so it seems that it keeps itself pretty current on newer scripts and dangers.
It isn't perfect, but it is the best I have found so far.
0 Votes
+ -
RE: Firefox + NoScript vs Clickjacking
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: Firefox + NoScript vs Clickjacking
sauravsahni 12th Oct
Its good release and thanks to this site for posting this article.I always like each coverage posted by this site,I ppreciate this site because of having good detail about the topic.
car values
0 Votes
+ -
RE: Firefox + NoScript vs Clickjacking
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix