Wednesday, October 08, 2008

Security Risk - Clickjacking

Clickjacking is a nasty security risk — it’s transparent to you the user, easy to put into operation and difficult to stop.

What is Clickjacking? This threat was brought to the public's attention in late September 2008. According to researchers Robert Hansen and Jeremiah Grossman, clickjacking happens when your browser is directed to a malicious Web site when you click on what appears to be a valid link.

How does this happen? First, a hacker has to break in and compromise a good site. The hacker can then set their external, malicious content to be invisible and overlay the normal page with a "transparent" cover. When you click on the normal page, you are in fact clicking on the externally loaded page. The content or page which then loads is whatever the hacker wants. For example, it could install a malware program like a rogue Anti-Spyware program.

In another clickjacking scenario, the page may not need to have the transparent overlay. Instead, the good page may have been hacked to contain JavaScript code that makes the invisible target constantly follow the mouse pointer, intercepting your first click wherever it may be.

On Oct 7, 2008 Adobe released a Security advisory called Flash Player workaround available for "Clickjacking" issue. The advisory states:

SUMMARY
Adobe is aware of recently published reports of a 'Clickjacking' issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential "Clickjacking" issue affects Adobe Flash Player. Adobe is working to address this issue in an upcoming update to Flash Player.

SOLUTION
Customers:
To prevent this potential issue, customers can change their Flash Player settings as follows

  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the "Always deny" button.
  3. Select 'Confirm' in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting.

    Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL:
    http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

Action Required: Ag IT recommends that you follow the Adobe steps to mitigate the effects of clickjacking.

Note: If you use Adobe Connect (Breeze) for meetings or trainings, you will need to allow these sites access to Flash Player as mentioned in Step 4.

For detailed steps on how to do this, you can use our How To Allow "Camera and Microphone Access" in Adobe Connect (Breeze) steps.

No comments: