Flaw discovered: Browsers open to attack
By Liam Tung
Published: 29 January 2009 09:07 GMT
Security researchers have discovered a flaw affecting Google's Chrome browser which exposes it to clickjacking - where an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.
Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.
Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.
The best of silicon.com photos
1. Photos: Second Life gets down to business
2. Photos: Taking the wraps off Windows 7
3. Photos: Honda kick starts motorcycle safety tech
4. Minority Report: 10 Apple patents to watch
5. Photos: Cops use tech to point the finger of suspicion
In the disclosure Sood said: "Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page."
While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.
"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardised long-term mitigation approach," the spokesperson said.
However, independent security researcher, CEO of Australian security consultancy Novologica, Nishad Herath, told silicon.com sister site ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.
Google's security researchers had not found any attacks in the wild which exploited the specific vulnerability, said Google's spokesperson.
Clickjacking is a relatively new browser attack. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.
Original article: Chrome, Firefox get clickjacked from ZDNet Australia
Principal areas: Work with Senior Management within Group IS services to formulate: 3-5 year strategic plan and framework to achieve this Drive the ...
Field service engineer will strong hardware break fix repair experience across epos, retail products, desktop and file server. The role is paying ...
Duties include on boarding, connectivity, support and monitoring Order execution system, Monitor for trade problems and initiate follow-up actions, ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...
Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech