IE8's clickjacking protection will have 'zero impact,' says researcher
More info from Microsoft doesn't change opinion of researcher who reported problem
Computerworld - Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
In a post to the IE blog late yesterday, Microsoft program manager Eric Lawrence provided the first technical details of the new feature, which debuted in Internet Explorer 8 Release Candidate 1 (IE8 RC1), the preview launched Monday. According to Lawrence, the defense relies on Web application and site developers sending the browser an HTTP response header, dubbed "X-Frame-Options" to restrict how the page may be framed.
"It has to be done by the Web sites themselves," he said. "That's not exactly the greatest way to protect users."
As an illustration, he brought up "HTTPOnly," a flag that has been available to site and application developers for years. Designed and promoted by Microsoft, HTTPOnly protects Web "cookies" from malicious scripts.
"A great security feature, but it took years and years to be deployed by even one other browser, Firefox," said Hansen. "And still we have maybe 0.001% deployment of HTTPOnly, and then only on the biggest sites."
He predicted the same dismal uptake in the future for Microsoft's opt-in on clickjacking. "There's value in it, to be sure, and it definitely provides some protection," Hansen said. "Eventually, the number of people protected with grow, and then it will have some amount of impact. But now? It will have zero impact."
Although he declined to say how much he knew of IE8 RC1's anti-clickjacking feature before this week, Hansen did acknowledge that the technique was one that came up in his first conversations with a Microsoft security expert he rousted out of bed last year. "One of the things he mentioned was this idea," said Hansen. "But I told him there were lots of sites that can't have this in the header and still work, so I dismissed the idea immediately."
He still does, to some degree.
"I really think that the reason why they did this was because they wanted to be able to say that they have a clickjacking solution," said Hansen. "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking."
Microsoft is caught in a bind, according to Hansen. "IE lacks the kind of innovation you see in [Google's] Chrome or Firefox, and they're getting pounded from all sides," he said. "At the same time, they have to impress the gigantic companies that are using, in some cases, IE6. So when IT asks, 'What about clickjacking?' -- now Microsoft can say they have something. And it's definitely a concept that can be communicated."
In the end, it may not even matter that much, said Hansen. "Clickjacking has not been proven to be effective in the wild," he said. "Proof of concept, yes, and I've come up with plenty of them. But we have never seen it in the wild."
But just as he wondered whether it was worth the trouble to implement any clickjacking defense, Hansen added that to do nothing could be very risky. "The trouble is that one-off exploits of a specific site are possible. [Hackers] can do it, and then they'd have carte blanche. And widespread attack would leave everyone with a very long exposure time because it would be extremely hard to do a global deployment of any defense."
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts