IE8's clickjacking protection will have 'zero impact,' says researcher
More info from Microsoft doesn't change opinion of researcher who reported problem
Computerworld - Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
In a post to the IE blog late yesterday, Microsoft program manager Eric Lawrence provided the first technical details of the new feature, which debuted in Internet Explorer 8 Release Candidate 1 (IE8 RC1), the preview launched Monday. According to Lawrence, the defense relies on Web application and site developers sending the browser an HTTP response header, dubbed "X-Frame-Options" to restrict how the page may be framed.
"It has to be done by the Web sites themselves," he said. "That's not exactly the greatest way to protect users."
As an illustration, he brought up "HTTPOnly," a flag that has been available to site and application developers for years. Designed and promoted by Microsoft, HTTPOnly protects Web "cookies" from malicious scripts.
"A great security feature, but it took years and years to be deployed by even one other browser, Firefox," said Hansen. "And still we have maybe 0.001% deployment of HTTPOnly, and then only on the biggest sites."
He predicted the same dismal uptake in the future for Microsoft's opt-in on clickjacking. "There's value in it, to be sure, and it definitely provides some protection," Hansen said. "Eventually, the number of people protected with grow, and then it will have some amount of impact. But now? It will have zero impact."
Although he declined to say how much he knew of IE8 RC1's anti-clickjacking feature before this week, Hansen did acknowledge that the technique was one that came up in his first conversations with a Microsoft security expert he rousted out of bed last year. "One of the things he mentioned was this idea," said Hansen. "But I told him there were lots of sites that can't have this in the header and still work, so I dismissed the idea immediately."
He still does, to some degree.
"I really think that the reason why they did this was because they wanted to be able to say that they have a clickjacking solution," said Hansen. "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking."
Microsoft is caught in a bind, according to Hansen. "IE lacks the kind of innovation you see in [Google's] Chrome or Firefox, and they're getting pounded from all sides," he said. "At the same time, they have to impress the gigantic companies that are using, in some cases, IE6. So when IT asks, 'What about clickjacking?' -- now Microsoft can say they have something. And it's definitely a concept that can be communicated."
In the end, it may not even matter that much, said Hansen. "Clickjacking has not been proven to be effective in the wild," he said. "Proof of concept, yes, and I've come up with plenty of them. But we have never seen it in the wild."
But just as he wondered whether it was worth the trouble to implement any clickjacking defense, Hansen added that to do nothing could be very risky. "The trouble is that one-off exploits of a specific site are possible. [Hackers] can do it, and then they'd have carte blanche. And widespread attack would leave everyone with a very long exposure time because it would be extremely hard to do a global deployment of any defense."
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!