27 09 2008
Clickjacking and NoScript
Posted by: Giorgio in Flash, Mozilla, Security, NoScript
...

[…] the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

That’s true because attacking from an untrusted page not allowed to run JavaScript is highly impractical, but also because NoScript by default prevents Java, Silverlight and especially Flash content, which seem so far the most dangerous clickjacking targets, from being embedded on non-whitelisted pages.

But what about that damned 0.01%? That’s given by framed documents, most notably IFRAMEs. For a live and benign example of what you can do with IFRAME-based clickjacking, look at NoScript’s “install now!” widget, which gets dynamically overlayed by the addons.mozilla.org install page: they’re positioned so that if you click on the orange button you automatically install from AMO, skipping the security notification bar you would get on any other site. This “clickjacking” of mine has been there for a long time (since AMO V3, IIRC), and it heavily relies on JavaScript.

But even if an IFRAME-based attack was carefully crafted to work without JavaScript, NoScript would still provide effective protection, scoring a perfect 100% by RSnake’s standards. You just need to enable the Plugins|Forbid <IFRAME> option, and cross-site IFRAMEs will be blocked by default on untrusted pages: they will need a confirmation to be activated, therefore “blind clicks” become impossible. Zone 365 and Hardware Forums created a short video tutorial about this setting. ...
http://hackademix.net/2008/09/27/clickjacking-and-noscript/ DH

September 25th, 2008
Clickjacking: Researchers raise alert for scary new cross-browser exploit

Posted by Ryan Naraine @ 7:50 am

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.
http://blogs.zdnet.com/security/?p=1972

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

DH

7 - ClickClear and Clickjacking
7.1
Q: How does NoScript protect me from Clickjacking and other UI-redressing attacks?
A: Default protections provided by NoScript, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. To be 100% protected against clickjacking, though, you should enable also Forbid <IFRAME> and possibly Apply these restrictions to trusted sites as well.
While some users are confortable with these ultra-hardened settings, they can get cumbersome for others. Fortunately, since version 1.8.2 NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not. http://noscript.net/faq#clearclick
DH

DH


David,

I don't see anywhere in NoScript a setting for iFrame?

Is this a particular version of the program?

I don't see anywhere in NoScript a setting for iFrame? Is this a particular version of the program?

Iframe blocking (http://noscript.net/faq#qa4_8) has been in noscript for I think about a year, but there is a more recent (since version 1.8.2.1) setting specifically for clickjacking, called ClearClick (http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/).

-- sidney

David,

I don't see anywhere in NoScript a setting for iFrame?

Is this a particular version of the program?Blocking check box is on "plugins" tab of NoScript "options" (accessed by "S" icon in browser status bar).

DH

Blocking check box is on "plugins" tab of NoScript "options" (accessed by "S" icon in browser status bar).

DH

David,

Perhaps I have a different version of NScript.

I see:

Block Java Applets

Block Flash

Block Plugins

David,

Perhaps I have a different version of NScript.

I see:

Block Java Applets

Block Flash

Block PluginsMy version is 1.8.2.8. I have firefox set to check for updates to any extensions such as NoScript.

The author, Giorgio Maone, has been updating it very actively recently to cope with the clickjacking problem and to do such things as distinguish dangerous iframe's from less dangerous iframe's more adeptly. Two separate problems. NoScript has been handling iframe's for a long time. "Clearclick" [sp?] is a NEW feature of NoScript esp. for the clickjacking problem.

Sidney posted a link to the web page NoScript overview of these problems in this thread somewhere.

I don't know whether and how much the major browser vendors are working on the recently acknowledged as serious clickjacking problem.

AFAIK, updates to browsers to handle clickjacking should NOT be expected to be released soon since it is not an easy problem to solve. Therefore, NoScript may be the main or only solution to the problem for now.

Apparently, when the bad guys learn well how to exploit clickjacking it will be a very dangerous and/or widespread type of very hard to manually detect exploit.

DH

Adobe patch thwarts clickjacking attack

Flash, bang, wallop

By John Leyden • Get more from this author

Posted in Enterprise Security, 16th October 2008 11:08 GMT

Adobe has published an update to its popular Flash Player software, addressing a much-publicised clickjacking flaw.

Clickjacking affects multiple applications (including browsers and media players) and creates a means for hackers to trick prospective marks into unknowingly clicking on a link or dialogue.
http://www.theregister.co.uk/2008/10/16/adobe_update_thwarts_clickjacking/
DH

P.S.
NoScript definitely can protect you against the running of undesired Flash content in your browser and thus lessen the urgency of patching Flash.

However, I don't know if FF with NoScript can protect against clickjacking exploits within the plugin (e.g. Flash) itself. Therefore I strongly recommend patching Flash or any other plugin.

Therefore either uninstall unused plugins or keep them uptodate securitywise by scanning with Secunia PSI http://secunia.com.

However, both Framekillers and IE8's mitigation approach require web developers to actively protect vulnerable pages by modifying their content or the way they are served. Therefore the NoScript add-on for Firefox still remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the web site authors.[7]

http://en.wikipedia.org/wiki/Clickjacking#Prevention DH

Apparently Internet Explorer 8 and Google Chrome 2.0 have added some protection against clickjacking. I haven't tested either of them yet though.
DH