IE8's clickjacking protection will have 'zero impact,' says researcher
More info from Microsoft doesn't change opinion of researcher who reported problem
Computerworld - Microsoft Corp. provided more information today about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that tricks users into clicking on site buttons or Web forms. Such attacks hide malicious actions under the cover of a legitimate site, and they theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
In a post to the IE blog late yesterday, Microsoft program manager Eric Lawrence provided the first technical details of the new feature, which debuted in Internet Explorer 8 Release Candidate 1 (IE8 RC1), the preview launched Monday. According to Lawrence, the defense relies on Web application and site developers sending the browser an HTTP response header, dubbed "X-Frame-Options" to restrict how the page may be framed.
"It has to be done by the Web sites themselves," he said. "That's not exactly the greatest way to protect users."
As an illustration, he brought up "HTTPOnly," a flag that has been available to site and application developers for years. Designed and promoted by Microsoft, HTTPOnly protects Web "cookies" from malicious scripts.
"A great security feature, but it took years and years to be deployed by even one other browser, Firefox," said Hansen. "And still we have maybe 0.001% deployment of HTTPOnly, and then only on the biggest sites."
He predicted the same dismal uptake in the future for Microsoft's opt-in on clickjacking. "There's value in it, to be sure, and it definitely provides some protection," Hansen said. "Eventually, the number of people protected with grow, and then it will have some amount of impact. But now? It will have zero impact."
Although he declined to say how much he knew of IE8 RC1's anti-clickjacking feature before this week, Hansen did acknowledge that the technique was one that came up in his first conversations with a Microsoft security expert he rousted out of bed last year. "One of the things he mentioned was this idea," said Hansen. "But I told him there were lots of sites that can't have this in the header and still work, so I dismissed the idea immediately."
He still does, to some degree.
"I really think that the reason why they did this was because they wanted to be able to say that they have a clickjacking solution," said Hansen. "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking."
Microsoft is caught in a bind, according to Hansen. "IE lacks the kind of innovation you see in [Google's] Chrome or Firefox, and they're getting pounded from all sides," he said. "At the same time, they have to impress the gigantic companies that are using, in some cases, IE6. So when IT asks, 'What about clickjacking?' -- now Microsoft can say they have something. And it's definitely a concept that can be communicated."
In the end, it may not even matter that much, said Hansen. "Clickjacking has not been proven to be effective in the wild," he said. "Proof of concept, yes, and I've come up with plenty of them. But we have never seen it in the wild."
But just as he wondered whether it was worth the trouble to implement any clickjacking defense, Hansen added that to do nothing could be very risky. "The trouble is that one-off exploits of a specific site are possible. [Hackers] can do it, and then they'd have carte blanche. And widespread attack would leave everyone with a very long exposure time because it would be extremely hard to do a global deployment of any defense."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts