Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
In a post to the IE blog late yesterday, Microsoft program manager Eric Lawrence provided the first technical details of the new feature, which debuted in Internet Explorer 8 Release Candidate 1 (IE8 RC1), the preview launched Monday. According to Lawrence, the defense relies on Web application and site developers sending the browser an HTTP response header, dubbed "X-Frame-Options" to restrict how the page may be framed.
That's all well and good, but it's not going to do much, if any, good in even the long run, said Robert Hansen, CEO of SecTheory LLC, and one of the two researchers who first warned of clickjacking.
"It has to be done by the Web sites themselves," he said. "That's not exactly the greatest way to protect users."
As an illustration, he brought up "HTTPOnly," a flag that has been available to site and application developers for years. Designed and promoted by Microsoft, HTTPOnly protects Web "cookies" from malicious scripts.
"A great security feature, but it took years and years to be deployed by even one other browser, Firefox," said Hansen. "And still we have maybe 0.001% deployment of HTTPOnly, and then only on the biggest sites."
He predicted the same dismal uptake in the future for Microsoft's opt-in on clickjacking. "There's value in it, to be sure, and it definitely provides some protection," Hansen said. "Eventually, the number of people protected with grow, and then it will have some amount of impact. But now? It will have zero impact."
Although he declined to say how much he knew of IE8 RC1's anti-clickjacking feature before this week, Hansen did acknowledge that the technique was one that came up in his first conversations with a Microsoft security expert he rousted out of bed last year. "One of the things he mentioned was this idea," said Hansen. "But I told him there were lots of sites that can't have this in the header and still work, so I dismissed the idea immediately."
He still does, to some degree.
"I really think that the reason why they did this was because they wanted to be able to say that they have a clickjacking solution," said Hansen. "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking."
Microsoft is caught in a bind, according to Hansen. "IE lacks the kind of innovation you see in [Google's] Chrome or Firefox, and they're getting pounded from all sides," he said. "At the same time, they have to impress the gigantic companies that are using, in some cases, IE6. So when IT asks, 'What about clickjacking?' -- now Microsoft can say they have something. And it's definitely a concept that can be communicated."
In the end, it may not even matter that much, said Hansen. "Clickjacking has not been proven to be effective in the wild," he said. "Proof of concept, yes, and I've come up with plenty of them. But we have never seen it in the wild."
But just as he wondered whether it was worth the trouble to implement any clickjacking defense, Hansen added that to do nothing could be very risky. "The trouble is that one-off exploits of a specific site are possible. [Hackers] can do it, and then they'd have carte blanche. And widespread attack would leave everyone with a very long exposure time because it would be extremely hard to do a global deployment of any defense."