If you are using a Mozilla-based browser such as Firefox, Flock or SeaMonkey, you need to download the NoScript plug-in to protect against clickjacking now. In fact, don't even finish reading this article until you have downloaded and installed the patch.
Okay, I will assume that you did your assignment and are good to go. Let's talk about clickjacking now. Clickjacking has been dubbed one of the most serious threats on the Web. It affects every graphical-based browser, so that means that 99 percent of we mere mortals are in jeopardy. All you Lynx or Links users can keep on text browsing on the comfort of your trusty old 386 machines.
Seriously, clickjacking happens when someone browsing a Web site clicks on an invisible link that takes them to a malicious site without them even knowing it. From there, an attacker can take control of the links that the browser visits. This is serious because the attacker controls what the user is actually clicking on. All of the browser manufacturers have been advised of the vulnerability and a few have come forward with fixes.
Download the NoScript plug-in and you will be protected against clickjacking and Cross Site Scripting (XSS) attacks as well. Adobe recently released Flash Player 10 in response to clickjacking. The update contains other bug fixes and is a definite download if you use the product, and who doesn't? If you are an IE user, you are out of luck. Microsoft says that it is looking into the problem. Here are a few workarounds for IE users:
- Don't use IE.
- Don't visit any untrusted sites and fill out any forms.
- Use Firefox.
- Use Lynx.
- Wait for a patch from Microsoft.
Clickjacking is a serious threat and needs to be dealt with in a serious manner. Users are users and will continue to use the Internet as they see fit, whether there is a risk or not. We as security professionals need to make sure our assets are protected-if you know what I mean.