Firefox
extension blocks dangerous Web attack
A popular free security tool for
the Firefox browser has been upgraded to block one of the most dangerous and
troubling security
problems facing the Web today.
NoScript
is a small application that integrates into Firefox. It blocks scripts in
programming languages such as JavaScript and Java from executing on untrusted
Web pages. The scripts could be used to launch an attack on a PC.
The latest release of NoScript, version
1.8.2.1, will stop so-called "clickjacking," where a person browsing
the Web clicks on a malicious, invisible link without realizing it, said
Giorgio Maone, an Italian security researcher who wrote and maintains the
program.
Clickjacking has been
known for several years but is drawing attention again after two security
researchers, Robert Hansen and Jeremiah Grossman, warned
last month of new scenarios that could compromise a person's privacy or
even worse, steal money from a bank account.
Unfortunately, clickjacking is possible due
to a fundamental design feature in HTML that allows Web sites to embed content
from other Web pages, Maone said. Nearly all Web browsers are vulnerable to a
clickjacking attack.
"It's a very hard thing to fix because
it's part of the very fabric of the Web and the browser," Maone said.
The embedded content can be invisible but a
person can still unknowingly interact with it. A clickjacking attack takes
advantage of that by tricking a user into clicking on a button that appears to
do some function but actually does something entirely different.
Clickjacking can also be accomplished by
manipulating the plug-ins of other applications, such as Adobe's Flash program
and Microsoft's Silverlight. For example, researchers in recent days have shown
it's possible for a clickjacking attack to turn on a person's Web camera and
microphone without their knowledge.
In an advisory
on Tuesday, Adobe said it will issue a patch for Flash by the end of the month.
The new improvement to NoScript, called ClearClick,
can detect if there is a hidden, embedded element within the Web page. It then
displays a warning message asking the user if they still want to click on it.
Maone said ClearClick will likely stop all
clickjacking attempts. NoScript is only for the Firefox browser, so users of
Microsoft's Internet Explorer -- the most-used browser in the world -- are
vulnerable.
Web site owners, however, can take one step
to prevent their users from falling victim, Maone said. Programmers can use a
script on their Web sites that checks to see if a Web page is embedded in
another page. If so, the script forces the good Web page in front, preventing
clickjacking, Maone said.
The technique is called "framebusting." Ebay's
online payments service, PayPal, which is frequently targeted by
cybercriminals, has already implemented framebusting, Maone said. NoScript will
allow a framebusting script to run, Maone said.
"The best thing that can happen is that
Web site owners start to think more carefully about security," Maone said.
"It is important that Web site owners spread the word that they should
implement framebusting."
Clickjacking is a serious, potentially
long-term problem for browser developers. Since the attack is enabled by a
feature within HTML, it demands changes to the HTML specification.
Web standards groups are currently working on
HTML 5, a specification that will incorporate new features into the programming
language to accommodate future Web design. But the standards process moves
slowly, and changes to HTML could break existing Web pages, Maone said.
"For the user, I'm afraid there's no fix
but NoScript for the time being," he said.
