In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities …
Then again, this exploit may be similar but different, but it must use a common link to affect so many browsers.
Does this mean everyone should install NoScript for the time being, at least?
Even though it does sort of ruin the internet?
Scripting and plug-ins not required
Had scripting turned off for years, and never downloaded any plugins, so perhaps I do not know what I am missing.
The new-look reg makes the basic mistake: change the foreground colour to black, but leave my choice of a dark background in the textbox. As a result I am trying Lynx today.
So far, so good. I think I will keep it as it is far faster, and I always get may choice of colours.
"In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins."
Suppose you disable scripting with a plugin, like NoScript?
Damn geeks. They've screwed up everything. They can't even get something as simple as the Internet right. No wonder 70% of financial application are still coded in COBOL and don't use the Internet as their primary avenue of communications.
However, this is most certainly a "man trying to keep information out" or whatever. Everybody screams for silence when it's their product that's vulnerable - but they want full disclosure when it's someone elses problem. Gay. It's all gay.
I bet £0.01
Is this actually anything cleverer than <a href="goodsite.com" onclick="location.href=http://dodgysite.biz">Please enter your password</a>
Simple solution that will never be followed
I always use noscript but for the absolute unavoidable minimum, and those that for some reason require scripting run in a VM now.
[*] or any tool.
How to prevent webcam monitoring: Unplug the thing, duh
In another day for the "Dan Goodin is Paranoid" department, the celebrated El Reg author once again overlooks the obvious when explaining a computer security vulnerability.
disable scripting and all browser plugins..
..and the problem is?
He'll save every one of us!
Open fire - all weapons, Despatch war rocket Ajax to bring back his body.
I liked it better before everyone knew about this...
Cuz nothing beats watching Webcams when no one knows your watching... and listening.
fine for 'information' sites, i guess, we can always look elsewhere the site owner doesn't loose much. but for retail sites??? putting a limit up means I go elsewhere, to me your site tis broken.
*this* defect will be something to do with how acrobat likes to take over the page, so noscript etc won't work, since it will be acrobat doing its thing.
solution? don't view pdf files?
or heavens above adobe could make some nice options, like making it very clear where a link will go, and allowing links to be turned off/replaced with the url etc.
they need someone _seriously_ evil working at microsoft & adobe etc, someone who gets a nice bonus for every evil trick they find to redirect someone. so the tricks can be blocked.
Disable all scripting everywhere by default, add exceptions for the sites one regularly visits and trusts. No problem. A minor inconvenience at the most. I will often view page source or download and read scripts before enabling java for an unknown site . If an unknown and thus untrusted (All websites by default should be untrusted) website asks for a plugin to be installed to view the content, then go find the content elsewhere. I would rather have a slightly broken web experience than a broken OS, a compromised bank account or encrypted documents. Paranoia maybe but the last infection I had was the Saddam virus on my Amiga. Alternatively browse the net on a vm that's used for web browsing only and take a snapshot before each session.
Changing status bar text via Java is easy. However there is an option in Firefox advanced script setting that either allows or disables the changing of status text by Java. One should make sure that this option is unticked.
Of course your average user is not going to employ all or indeed any of these tactics, still it keeps us in work.
As BlueGreen mentioned keep it simple, html, css and php is all it takes to build an effective, efficient website.
Seems like most of the discussions were "effects x AND adobe" "fix x AND adobe" - could this be a flash bug? That would still make it effect all your mainstream browsers...
@Gordon - to "unplug" my webcam I would have to rip apart my laptop's lid... not really a viable option for me...
I'm very worried about the prospect of the nasties taking over my webcam and mic. How the hell did they manage to get in and install them without me noticing?
As for scripts, the NoScript ... er... plugin is my best friend.
I've known about this for at lest eight years.
Anything new to report?
mines the one made out of tin foil
In the long run - simplify web page design as mentioned above. The "browsing experience" is still going to be just fine. It may not require using only html, css and php, but stripping insecure components out of other protocols would be a good start.
And Dan Goodin is the man - leave off, or I'll send the boys 'round ....
Easy one, that
Adobe products make...
....Microsoft look good.
this is new? wow.
really. This is new? not just
a href='anysite.com/showthislink/seemslegit.htm ' onclick='window.open("someothersite.com","_self);return(false)'
Systemic Problems require New Source Code not Fluffing of Old Code Programs
"I've known about this for at lest eight years.
Anything new to report?" ..... By Greg Fleming Posted Tuesday 16th September 2008 22:42 GMT
Eight years you say..... would you then have the Answer/Solution to Share with Us All, Greg.
And I was thinking exactly the mirror opposite to RSnake.[Hansen]
"Hansen struck a more conciliatory tone in discussing the cancellation.
"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation"
Man speak with forked tongue, Kemo Sabe. He hides the Truth in what he says is not there.
And Red Team Virtual Penetration BetaTest Drivers are not Hackers, they are Creative Crack Coders Plugging Vulnerabilities that Lose Market Share to Beta Equipped ProgramMIng.
If you have a Major Internet Control Problem, they're the Sort of Dudes you Call Direct with a Line of Open Credit Reflective of Control Needs.
re. Adobe make Microsoft look good.
I agree. I gave up on Acrobat Reader in favour of Foxit Reader, fed up of having my browser locked up or crashed.
New? Not New?
Of course, it could all have been blown out of proportion by the guys themselves in order to make their work look more prestigious than it is, but until more details are disclosed, there's nothing to be lost by being a little extra watchful is there?
Well, except that most of the folks who read The Reg are probably more than paranoid enough - it's all the clueless email attachment readers and compulsive link-clickers out there that cause most of the problems.
P.S. Bets on any vulnerabilities being present in the shiny new, "we've dressed up WebKit to make it more secure and better for modern web applications" Chrome (JAFWB!) too?
Sticky tape and a piece of paper. Cover the lens.
As for the web in general - yup, disable all scripts and all plugins by default.
What's the buzz?
The problem now is that the danger-bubs have been activated and we all want to know the fuss is about! This looks to me like one of those "Church/Org makes a fuss over nothing and more people find out than would have, if they had simply let it go.".
Oh and now I've been forced to come over all middle-England! Did these people even go to school?
"that this is a tough problem with no easy solve in sight"
have I not trusted the text in the status bar to tell me where I am going next
interwebs without scripts and plug ins
The interwebs without scripts and plug ins is a bit like a supermarket with a plain concrete front, no windows, concrete shelves and all the products contained in brown containers with black stenciled text to inform you what is inside.
Checkouts similarly grey staffed by people in grey and only excepting cash.
@Peyton - laptops with webcams
"@Gordon - to "unplug" my webcam I would have to rip apart my laptop's lid... not really a viable option for me..." "
Or instead of martyring yourself you could stick a piece of Post-It or blob of Blu-tak over the lens. And I presume your laptop has a nice light to tell you the camera's on, like the Eee PC...
Hunt 'em down and put 'em in jail
I keep saying that the laws concerning hacking and cyber crime need to be tightened up and the people who carry out these crimes found and dealt with, instead of trying to ruin the lives of your average person without punishment or consequences seemingly
Have we gone back to 1990
and no one told me.
This has been possible for ages and is a key part of the web, the link shown to you is the link the author put in the page, which can be anything.
This is just a part of the web, sure things like privoxy can detect a header request to redirect, but a lot of sites use them :)
It is not a flaw it is a feature get use to it - if you go to a dubious site then well you are already taken.
Face it. Scripted sites are part of the web these days. Unless you prefer surfing back in 1995.
The real reason a lot of people have a beef with scripted sites is more likely because so many are badly written.
It's not an evil to use script as a developer, if it's used constructively and not over-used. Developers also have a requirement to at least make their sites vaguely usable for luddites who disable script.
Anyway, surely recent anti-phishing technology in browsers would spot simple stuff like this?
Wow - thanks for the advice guys!
Love the idea of covering my nice, sleek laptop with a bunch of tape and post-it notes - I can keep my passwords there AND it will really give it a nice garbage bin look. (I'm sure that tape won't leave any dirt-attracting glue behind when I actually *use* the webcam) Now how about the mic inputs situated right next to the web cam? Stuff some cotton in there I suppose?
> Face it. Scripted sites are part of the web these days. Unless you prefer surfing back in 1995.
Yes, I do. I really, really do. It. Just. Worked. Unlike most crap today designed by an art major with his crappy <Whatever the FrontPage of today is> software.
@Peyton:Wow-thanks for the advice guys!
Wear a mask and learn sign language.
Well, If your OS is windoze just disable your webcam in the hardware properties tab when you aren't using it.