ambassador at fourthworld.com
Thu Oct 9 12:57:13 EDT 2008
Maybe this is only semi-OT, since RunRev has announced plans to deliver
a browser plugin:
Web Surfers Face Dangerous New Threat: 'Clickjacking'
Internet and Web browser security experts are sounding the alarm about a
new type of malicious attack called "clickjacking," a technique that can
be used to dupe Web surfers into revealing confidential information
while clicking on seemingly innocuous Web pages. Among other things, a
clickjacking attack can be used to take control of a computer's Webcam
and microphone without the knowledge of the user.
Clickjacking has been identified as a vulnerability for the Adobe Flash
player, as well as for every major browser, including Firefox, Internet
Explorer, Opera, Safari and even the newly released Google Chrome.
"It is a very serious problem," said Giorgio Maone, the author of a
widely praised free Firefox extension called NoScript, which blocks
potentially malicious scripts from running in the Firefox browser.
"Clickjacking is a very simple attack to build, and now that the details
are out, any script kid can try it successfully," Maone warned. "There's
no estimate to the number of trap sites, and it's unlikely that we will
see any credible report about the number of sites using this technique,
because there are literally infinite ways to implement such an attack,
therefore no signature-based scanning can detect it automatically."
Maone agreed. "This problem comes from features which are integral to
the modern Web as we know it," he said, "and especially from the ability
of Web pages to embed arbitrary content from different sites, or to host
little applications (applets) through plug-ins like Adobe Flash, Java or
Maone predicted that a general browser fix won't be developed any time
soon, since the real solution lies in developing a general consensus
about changing existing Web standards in the various Internet
Adobe's remedy is available here:
There are several implication with this:
1. People will become more wary of plugins
The risks of running compiled code within a browser will at
last be given appropriate attention. When running compiled
code, even as a plugin, the code can make use of any API
the OS provides, and there's no way to know what it's
doing. This is not new, but most lay people have been lulled
into a false sense of security under the misconception
that if it runs in a browser it's somehow restricted to the
browser's sandbox. This news corrects that misconception.
2. Plugin vendors will have to work harder to gain confidence
Deploying new web plugins has always been difficult in a world
where Flash is pre-installed, but these perceptual challenges
will increase given #1 above, requiring extra effort from the
vendor to convince an audience of the soundness of a plugin.
With this exploit occurring in the most popular plugin of all,
we can expect the perceptual challenges to effect new (in the
minds of users and IT staffers, read "untested") plugins
even more strongly.
3. Plugin APIs may become more onerous, and therefore expensive
This is pure conjecture on my part, but to the degree that
#1 has any traction we may find browser vendors responding
by attempting to provide safeguards within their APIs to try
to minimize such risks. It's hard to say what they might
come up with, but it seems unlikely they'll continue to keep
the plugin API as a sort of open-ended "wild west" of
possibilities, perhaps using Java's restrictions as a model.
Such restrictions, however necessary to regain user trust, may
limit capabilities and/or increase the development challenges
of making plugins.
I don't mean to rain on the plugin parade, but I do feel it's useful to
maintain a sober awareness of how the market may respond to this exposure.
Those anticipating plugin deployment within their own organizations will
likely see little difference in its acceptability. But those planning
public sites driven by a plugin for a more general audience may do well
to be prepared to address security concerns.
Managing Editor, revJournal
Rev tips, tutorials and more: http://www.revJournal.com
More information about the Use-livecode