The original posting - which under my signature tells Facebook's experience with "clickjacking" gives some of the details. It depends upon the browser, and according to security experts, all browser apps including Firefox are vulnerable if you land on the wrong page or click on the wrong (deceptive) button. Security people fault web browser developers for being entirely in a defensive/responsive mode instead of evolving a completely reworked approach to browser page viewing. Here's an excerpt from an October 2008 article about "clickjacking"... The clickjacking concept is nothing new, but the threat that Grossman and Hansen discovered is. It spans multiple browser families and doesn’t even require that a user click on anything. Just loading a compromised page sets off the attack, and clicking on that page will likely make things worse for the victim, they say. “And whether JavaScript is on or off, it will affect you,” he says. The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say. This is the "new" Internet. Browser designers can design against it, but the outcome isn't going to make anyone happy... as another article says, our very commonplace expectation of flashmovies, pop-up tables and viewers, on-page interactivity, etc. gives all manner of openings for this new style of attack. Firefox did develop a plug-in to help shield users to some extent, but it also involves "shutting off" interactivity to every new site you visit until you're sure that it, and its content, are safe. (And that wouldn't have helped with respect to the following Facebook clickjack.) Note that this is 14 months after the Grossman and Hanson article spelling out the problem. And as an added irony, the clickjacking attack that occured directly on the Facebook site over last weekend affected only Chrome and Firefox browsers. (It gave a short movie download after "testing" if you are human... by asking you to click on one colour button out of a field of multiple others. After which your successful "click" led to the page that invisibly loaded the scary micro-app while simultaneously "rewarding" each user by providing a YouTube video). This ain't nice 'ol Kansas anymore. More here - http://www.darkreading.com/security/management/ showArticle.jhtml?articleID=211201251 Michael Cerulli Billingsley Straight Arrow Recordings 802-254-3975/380-6408 The Cotton Mill, Brattleboro, Vermont Location Recording - CD Mastering - Audio Solutions/FX On 30 December 09, at 4:07 PM, R. David Murray wrote: > On Wed, 30 Dec 2009 14:01:52 -0500, Michael Billingsley > <michaelb at sover.net> wrote: >> Just a note that - I was my own guinea pig. I presumed that the >> Chilean source-server was identical to the Romanian one, so rather >> than dangerously clicking on the URL in the email (which would have >> obviously handed my computer to the "loader") I went instead to the >> domain server directly, to see if it also self-identified as being >> slaved to TeamViewer software. >> >> Rather than just say so (which the Romanian server did) it >> proceeded... while showing a blank screen... "load" I immediately >> yanked my Ethernet cable and killed the page, with hopes that it >> didn't get its packet into my machine and was only able to use those >> few seconds to scan for my Operating System (OS). However, for a >> modern computer a few seconds are aeons and enable multiple back-and- >> forth conversations and exchanges of data. Certainly it got my >> machine ID and domain address for future reference... not a good >> thing. >> >> My laptop (from which I'd done this... with all firewalls up and all >> external drives disconnected) immediately began to act a little >> dodgy. The rest of the afternoon was marked by a duplicate >> RealPlayer Downloader jumping in and acting in tandom (in other words >> - duplicating and parallel downloading) every clip I encountered on >> the Internet for the rest of the afternoon, ie. newsfeeds. So I > > How can just going to a web page install software on your machine? > Is OS X really that broken? (I know Windows is, but I thought > OS X was smarter than that). > > Makes me glad I'm running Linux :) I've installed the firefox > noscript > extension just in case, though. > > -- > R. David Murray www.bitdance.com > Business Process Automation - Network/Server Management - Routers/ > Firewalls -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20091230/5a5b9804/attachment.html