On Wed, 30 Dec 2009 21:40:19 -0500, Michael Billingsley <michaelb at sover.net> wrote: > The original posting - which under my signature tells Facebook's > experience with "clickjacking" gives some of the details. It depends > upon the browser, and according to security experts, all browser apps > including Firefox are vulnerable if you land on the wrong page or > click on the wrong (deceptive) button. Security people fault web > browser developers for being entirely in a defensive/responsive mode > instead of evolving a completely reworked approach to browser page > viewing. Yes, I understood that. > On 30 December 09, at 4:07 PM, R. David Murray wrote: > > How can just going to a web page install software on your machine? What I meant by this question is, even if the clickjack or web page load initiated a request to install software, (a) you should be prompted for confirmation before any install is done in a way that isn't clickjackable, (b) it should not be *possible* for any software other than firefox add-ons to get installed without you entering the root or admin password. Even if a bug in firefox lets an add-on install without a confirmation prompt, cleaning up your firefox addons registry would be much simpler than cleaning up the results of an equivalent hack on a Windows box, where the infestation could go beyond just firefox because many Windows users run as admin (because not doing so is so much of a pain; though it is better these days than it used to be). Well, technically non-firefox-add-on software could get installed in the non-admin user account on either OS X or Windows (or linux, for that matter) such that it would get run by that user, but again that's a *lot* easier to fix than an admin level infestation. (Well, it's still painful on Windows, unfortunately.) So I'm wondering how you got infected, and if it represents a serious vulnerability in OS X or Firefox or Safari. Thinking about what you described, I'm guessing you were dealing with a firefox add-on? Or the Safari equivalent? Which makes me wonder if there is a bug in the way the install-confirmation popup or the add-on update hooks are handled that the malicious web site was able to exploit. Well, I guess the main lesson is to always make sure your web browser is up to date with the latest security fixes, since it is the most vulnerable part of any Internet connected workstation, and then to always be cautious anyway when browsing the web. -- R. David Murray www.bitdance.com Business Process Automation - Network/Server Management - Routers/Firewalls