IE8 has Zero Impact on ClickJacking, Experts Say
The security researcher who recently discovered an especially sneaky way of spreading spyware online says Internet Explorer 8 will have "zero impact" on the problem. It comes as attacks using the 'clickjacking' technique spread to other browsers.
'Clickjacking' lures users into clicking on a button that at first appears legitimate but actually does something altogether nasty. The usual way of doing this is to hijack a legitimate web page and use frames to overlay it with a transparent web page. This means victims are actually clicking on a button they can't see, which will usually 'authorize' the site to install rogue software.
While this is the most common method, clickjacking (or Cross Site Reference Forgery, as it's sometimes called) is simply any attack where clicking on a button or link from one site actually sends a request to a rival site. This means there are a variety of tactics, making it much harder to prevent. Also, as it exploits vulnerabilities in particular browsers, there isn't a one-size-fits-all solution.
Microsoft's Battle with ClickJacking
Microsoft has developed a technique in Internet Explorer 8 (which is now available in its final testing edition) to combat a common form of clickjacking where the transparent. Website owners can now insert a special tag in the coding of their page to say that they do not want to allow frames. If Internet Explorer 8 sees this tag, it will know any attempt to use frames is likely clickjacking and will block it.
Unfortunately, there are some major limitations to this system. It will only work if website designers use the code, and many webmasters may not bother until Internet Explorer 8 is more popular. It's also of little use to websites which want to use frames legitimately, such as the preview page on Google's image search. And the feature isn't even switched on by default in the browser, meaning many casual users may never benefit.
Security researcher Robert Hansen, who was one of the first to warn of clickjacking, says the solution does help, but won't make any serious impact at the moment and questions why Microsoft introduced the feature: "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking." (Source: computerworld.com)
All Web Browsers Are Vulnerable
Clickjacking is not a problem exclusive to Microsoft, however. Just this week there's been proof that, in principle at least, it's possible to launch clickjacking attacks on users running rival browsers such as Mozilla's Firefox and Google's Chrome. (Source: Internetnews.com)
So what should you do to prevent clickjacking? If you are using Internet Explorer 8, do switch the new feature on, as it will do some good. If you are using a rival browser, look for add-ons such as NoScript which limit such attacks.
And while you should never be complacent about security, don't worry too much: The technique only works with sites which have been hacked and is much harder to exploit in practice than in theory.
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.