Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC's video cam and microphone to secretly spy on the player.It's generally a good idea to turn your camera off if you're not using it. Of course, if an exploit can get to the camera, it has pretty well got to everything else:
Doubting Thomases will say the answer is to disable cams, mics, and other devices that can be misused or to simply uninstall Flash. But this is to miss the larger point: Right now, unknown web masters throughout the world can control the links you click on simply by luring you to their page. The list of ways this can be abused - we're thinking government spying, corporate espionage, cyber stalking, click fraud, and even creepier things we won't bother to mention - is limited only by the imagination. Turning off the webcam may limit the damage, but it doesn't remove the underlying threat.Yeah, yeah, yeah. This is for real, though, unlike a lot of the OMGWe'reGoingToDie security news you sometimes hear.
The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that's part of a click-fraud scheme, or any other destination the attacker chooses.There's no patch, so that's not a solution.
So, what can you do (assuming you're not a scary smart browser software engineer)? The article talks about how the exploit worked fine on Internet Explorer, but not on Firefox. While this is clearly no panacea, it is an example of how the 2 Simple Rules of Browser Security will lower your risk. It's not necessarily less secure; rather, the Bad Guys disproportionally target Internet Explorer.
If you use IE (and a lot of you are, based on Sitemeter stats), run, don't walk to pick up Firefox. In a world of clickjacking exploits, friends don't let friends surf with IE. It's a fine browser, but this is what the lazy Bad Guys target.
Also pick up Opera, and use it only for online financial transactions: banking (if you absolutely must), paypal, anything with a credit card.
None of this will prevent clickjacking. What it will do is make it harder for the Bad Guys to target you personally. Not impossible by any means, but it means that they need to do extra work to make sure that their 'sploit runs as effectively against Firefox and Opera as against IE. Many won't.
UPDATE 17 OCTOBER 2008 09:06: Adobe has a patch.
No comments:
Post a Comment