[Hidden-tech] Beware the Facebook thingy-dingy redux

R. David Murray rdmurray at bitdance.com
Thu Dec 31 08:57:21 EST 2009


On Wed, 30 Dec 2009 21:40:19 -0500, Michael Billingsley <michaelb at sover.net> wrote:
> The original posting - which under my signature tells Facebook's
> experience with "clickjacking" gives some of the details.  It depends 
> upon the browser, and according to security experts, all browser apps
> including Firefox are vulnerable if you land on the wrong page or
> click on the wrong (deceptive) button.  Security people fault web
> browser developers for being entirely in a defensive/responsive mode
> instead of evolving a completely reworked approach to browser page
> viewing.

Yes, I understood that.

> On  30 December 09, at 4:07 PM, R. David Murray wrote:
> > How can just going to a web page install software on your machine?

What I meant by this question is, even if the clickjack or web page load
initiated a request to install software, (a) you should be prompted for
confirmation before any install is done in a way that isn't clickjackable,
(b) it should not be *possible* for any software other than firefox
add-ons to get installed without you entering the root or admin password.
Even if a bug in firefox lets an add-on install without a confirmation
prompt, cleaning up your firefox addons registry would be much simpler
than cleaning up the results of an equivalent hack on a Windows box,
where the infestation could go beyond just firefox because many Windows
users run as admin (because not doing so is so much of a pain; though
it is better these days than it used to be).

Well, technically non-firefox-add-on software could get installed in the
non-admin user account on either OS X or Windows (or linux, for that
matter) such that it would get run by that user, but again that's a *lot*
easier to fix than an admin level infestation.  (Well, it's still
painful on Windows, unfortunately.)

So I'm wondering how you got infected, and if it represents a serious
vulnerability in OS X or Firefox or Safari.  Thinking about what you
described, I'm guessing you were dealing with a firefox add-on?  Or the
Safari equivalent?  Which makes me wonder if there is a bug in the way
the install-confirmation popup or the add-on update hooks are handled
that the malicious web site was able to exploit.

Well, I guess the main lesson is to always make sure your web browser
is up to date with the latest security fixes, since it is the most
vulnerable part of any Internet connected workstation, and then
to always be cautious anyway when browsing the web.

--
R. David Murray                                      www.bitdance.com
Business Process Automation - Network/Server Management - Routers/Firewalls


Google

More information about the Hidden-discuss mailing list