IE8 has Zero Impact on ClickJacking, Experts Say

The security researcher who recently discovered an especially sneaky way of spreading spyware online says Internet Explorer 8 will have "zero impact" on the problem. It comes as attacks using the 'clickjacking' technique spread to other browsers.

'Clickjacking' lures users into clicking on a button that at first appears legitimate but actually does something altogether nasty. The usual way of doing this is to hijack a legitimate web page and use frames to overlay it with a transparent web page. This means victims are actually clicking on a button they can't see, which will usually 'authorize' the site to install rogue software.

While this is the most common method, clickjacking (or Cross Site Reference Forgery, as it's sometimes called) is simply any attack where clicking on a button or link from one site actually sends a request to a rival site. This means there are a variety of tactics, making it much harder to prevent. Also, as it exploits vulnerabilities in particular browsers, there isn't a one-size-fits-all solution.

Microsoft's Battle with ClickJacking

Microsoft has developed a technique in Internet Explorer 8 (which is now available in its final testing edition) to combat a common form of clickjacking where the transparent. Website owners can now insert a special tag in the coding of their page to say that they do not want to allow frames. If Internet Explorer 8 sees this tag, it will know any attempt to use frames is likely clickjacking and will block it.

Unfortunately, there are some major limitations to this system. It will only work if website designers use the code, and many webmasters may not bother until Internet Explorer 8 is more popular. It's also of little use to websites which want to use frames legitimately, such as the preview page on Google's image search. And the feature isn't even switched on by default in the browser, meaning many casual users may never benefit.

Security researcher Robert Hansen, who was one of the first to warn of clickjacking, says the solution does help, but won't make any serious impact at the moment and questions why Microsoft introduced the feature: "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking." (Source: computerworld.com)

All Web Browsers Are Vulnerable

Clickjacking is not a problem exclusive to Microsoft, however. Just this week there's been proof that, in principle at least, it's possible to launch clickjacking attacks on users running rival browsers such as Mozilla's Firefox and Google's Chrome. (Source: Internetnews.com)

So what should you do to prevent clickjacking? If you are using Internet Explorer 8, do switch the new feature on, as it will do some good. If you are using a rival browser, look for add-ons such as NoScript which limit such attacks.

And while you should never be complacent about security, don't worry too much: The technique only works with sites which have been hacked and is much harder to exploit in practice than in theory.