Author Topic: Clickjacking  (Read 3510 times)

0 Members and 1 Guest are viewing this topic.

Offline Digerati

  • Microsoft MVP
  • Silver Member
  • Posts: 632
  • Post-Quinquagenarian
Clickjacking
« on: October 23, 2008, 08:39:36 am »


Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2015

Offline AlphaCentauri

  • Anti - Phishing Staff
  • Bronze Member
  • Posts: 201
Re: Clickjacking
« Reply #1 on: October 27, 2008, 03:53:24 pm »
So I'm not sure what the conclusion is. Does Noscript block the exploit, or only some manifestations of it?

Offline Digerati

  • Microsoft MVP
  • Silver Member
  • Posts: 632
  • Post-Quinquagenarian
Re: Clickjacking
« Reply #2 on: October 27, 2008, 09:13:49 pm »
Quote
So I'm not sure what the conclusion is
I am not sure any one does yet.

http://blogs.techrepublic.com.com/networking/?p=700
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2015

Offline Corrine

  • Microsoft® MVP
  • Malware Removal Staff
  • Silver Member
  • Posts: 1106
  • The Mystical Rose
    • Security Garden
Re: Clickjacking
« Reply #3 on: November 04, 2008, 05:06:03 pm »
Yes, NoScript release 1.8.2 (07Oct08) includes "ClearClick" which disables user interaction with partially obstructed or not clearly visible embedded objects.  ClearClick is enabled by default on untrusted pages.  You can also configure it to work on trusted pages as well (NoScript Options|Plugins). 

(The first reply at http://ha.ckers.org/blog/20081007/clickjacking-details/ was Giorgio Maone, the developer of NoScript.)

Other information/links in my blog post:  Hello ClearClick, Goodbye Clickjacking!

(Note:  the current version of NoScript, with ClearClick, is V. 1.8.3.6.) 
  

Security Garden
"A day without laughter is a day wasted."
"May the wind sing to you and the sun rise in your heart"

Offline Digerati

  • Microsoft MVP
  • Silver Member
  • Posts: 632
  • Post-Quinquagenarian
Re: Clickjacking
« Reply #4 on: November 04, 2008, 06:05:21 pm »
Sweet! Thanks Corrine.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2015

Offline Corrine

  • Microsoft® MVP
  • Malware Removal Staff
  • Silver Member
  • Posts: 1106
  • The Mystical Rose
    • Security Garden
Re: Clickjacking
« Reply #5 on: November 04, 2008, 06:23:27 pm »
You're welcome! 

BTW, it should be noted that people who updated Flash to version 9 thinking that protected them against the Flash vulnerability to clickjacking need to do yet another update to version 10.  The version 9 update only helped prevent a clickjacking attack on a Flash Player user’s camera and microphone.  Adobe Flash Player version 10.0.12.36 was released October 15, 2008, and is identified in Issue 2C at http://ha.ckers.org/blog/20081007/clickjacking-details/ as being "fixed". 

Anyone who uses more than one browser (i.e., IE and Firefox), needs to update Flash for both browsers. 
http://www.adobe.com/shockwave/download/alternates/

Check the current Flash version installed on your browser at http://www.adobe.com/products/flash/about/

(Just watch out for any pre-checked extras such as 3rd party toolbars during installation.)

To configure Flash Player settings, see the instructions for the on-line manager at (sorry, another blog post): http://securitygarden.blogspot.com/2008/10/cyber-security-awareness-tip-of-day_19.html
  

Security Garden
"A day without laughter is a day wasted."
"May the wind sing to you and the sun rise in your heart"