FEMA Data Breach, Secrecy, And ID Experts Helps With FEMA's Breach Response (Part Two)
How To Protect Your Computer From ID-Theft

Clickjacking: What It Is And How To Protect Yourself

I first read about this last year in the ZD Net Zero Day blog. At that time, there wasn't much data to go on. But the article provided a good definition of clickjacking:

"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch."

Well, that sounds scary enough. All kinds of funky things can happen when you visit a malicious site, or a site infected with malware. I'm glad that I use McAfee SiteAdvisor to help me avoid malicious web sites. It's not bullet-proof, but I'll take all the protection I can get.

Recently, I saw this "Does Your Browser Prevent Clickjacking?" article at the Internet News site:

"One of the features in the IE 8 Release Candidate 1 includes technology that is supposed to help prevent Clickjacking. The claim has one of the principal discovers of Clickjacking raising some questions over the problem and how to prevent it with browsers. Although Clickjacking attacks have not yet been widely reported..."

How the anti-clickjacking feature in IE8 is supposed to work:

"The core of IE 8's Clickjacking protection focuses on enabling Web developers to specify and restrict which content on their site can't be broken out and framed by another site. It's a technique known as frame-busting and can also be implemented by developers using javascript code on their sites that restrict frame usage. The IE 8 approach is a different method for frame busting."

I really don't want to know how it works. I just want an effective fix. Geez. Seems like every week there's a new "feature" on the Internet.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Bill G

Phishing and Malware Protection is built in and automatically turned on in Firefox 3.0 or later.
http://www.mozilla.com/en-US/firefox/phishing-protection/

For clickjacking, use the free Firefox plugin NoScript as a defense.
http://www.planetmysql.org/entry.php?id=17502
http://blogs.zdnet.com/security/?p=1973

George

Bill:

Thanks for the information about Firefox. I upgraded to 3.0 last week.

George
Editor
http://ivebeenmugged.typepad.com

The comments to this entry are closed.