back to article Microsoft boasts 'out of box' IE8 clickjack protection

Microsoft has beefed up its latest Internet Explorer browser with an "out of the box" feature that it says will protect users against a serious class of attacks that allows maliciously controlled websites to manipulate the links visitors click on. The new measure, baked into Redmond's first release candidate for IE8, blocks so- …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    IT Angle

    WTF is click-jacking?

    This is an IT rag, right? Could you include at least a half-assed attempt at a technical description? I feel like I read an article about nothing, aimed at my grand-mom.

  2. Mark Dowling
    Gates Horns

    headline quotes in wrong place

    Methinks it should have read:

    Microsoft boast out of box IE clickjack "protection"

    It's about as useful as the rhythm method is for preventing syphillis - if Microsoft's "add a tag yourself" solution worked we wouldn't need this new Compatibility Mode Update feature, would we?

  3. Anonymous Coward
    Happy

    @Mark Dowling

    You owe me a new keyboard *and* monitor.

  4. Jach
    IT Angle

    Did I miss something?

    "Microsoft has beefed up its latest Internet Explorer browser with an "out of the box" feature that it says will protect users against a serious class of attacks that allows maliciously controlled websites to manipulate the links visitors click on."

    "The protection, it turns out, relies on special tags webmasters must put on their pages that prevent clickjacking by returning an error message when malicious links are detected."

    So they expect these maliciously controlled websites to implement a tag that kills their own naughtiness?

    I'm also as confused as Brent about what clickjacking is supposed to be. Something so simple as making a link, but onClick it redirects elsewhere?

  5. Inachu
    Heart

    I so sure do hope this is true.

    Prevent click hijacking would be awsome!

    Now only if Microsoft would only give an option to sandbox IE as well.

  6. The Cube
    Stop

    Sorry? Whose product are we talking about here?

    "But because they have to be downloaded, installed, and regularly updated, and because they often have cryptic support documentation, such add-ons aren't yet suitable for the masses"

    If it wasn't for the direct context I would have had to assume you were talking about Microsoft here, be it Windoze, Internet Destroyer, Orofice 2007, whichever product you choose.

    Seriously, you dowload Firefox, you type "adblock plus" and "noscript" into Google, NoScript sets itself up and you just click on things that don't work in pages that need Flash, AdBlock plus you select, in the web page that opens when it restarts, the first list to subscribe to. After that FF checks for the updates on browser start, asks first and then installs them. How 'not suitable for the masses' is that precisely? Perhaps we need a nice one paragraph set of instructions....

    Now if you want not suitable for non experts how about a system that:

    -- will install rootkits and viruses off every Sony CD and USB stick that comes within 50 feet of it? Of course it is easy for Joe public to find out about KB953252 after his second infection with a worm through a 'feature' that he thought he had turned off, discover it still doesn't kill the other infection vector of that 'feature' and have to get out regedit and go fix something that starts HKLM / Software / Microsoft / Windows / Shite I Never Asked For /

    -- runs every little bit of script, adverts and crap in every webpage with no user control at all (and don't be funny with the Inernet Destroyer 'security' settings, a more opaque and mangled set of rubbish hasnt' been had this side of Netware CDROM mount commands)

    -- needs to restart the host operating system to patch a 'browser' component,

    -- continue endless list of 'ways Microsoft products annoy you into submission'

    Here is the news Redmond, XP and Fister were operating systems, not browsers, take the crap out and make it work on something that wasn't a supercomputer in 2007. Most importantly don't layer insecure crapware over security sellotape over insecure crap and then expect to charge money for it.

    Oh and as for Office, it was really good around Office 2000, could we have that back with the charting bits from Excel 2003 please?

    Signed, an ex MCSE, ex consultant at the UK's first Microsoft Partner and ex badge wearing Linux hater.

  7. Flocke Kroes Silver badge

    This problem was solved years ago

    Use Lynx: http://lynx.isc.org/lynx2.8.5/index.html

    Lynx is also immune to all flash and javascript based attacks.

  8. adnim

    click jacking

    To oversimplify.. A surfer clicks a link expecting to go to abc.com and ends up at xyz.com

    Hidden elements, often an iframe, in a webpage lie above what the user sees and clicks on. The hidden elements handle the click rather than the visible link that is clicked.

    This discussion goes into more depth:

    http://www.securityfocus.com/news/11535

  9. mechBgon

    No catchy name, but...

    ...controlling active scripting in Internet Explorer (and their potential abuse & consequences) has been available for about ten years now, starting with IE 5.01 if I recall correctly. It just requires about 30 seconds of adjusting your Zones settings to your preferences. That holds true for ActiveX and Java as well.

    Those who'd like to do so can simply set the Trusted Zone to Medium-High security (the same baseline as the Internet Zone's default setting in IE7) and disable the HTTPS requirement for Trusted Zone sites. Next, change the Internet Zone to disallow Java applets, active scripting, ActiveX and whatever else. Add trusted sites to the Trusted Sites zone as desired.

    Is it maintenance-free? Certainly not, but neither is NoScript, so pick your poison. The kicker is, you can set this for hundreds or thousands of computers at once with a Group Policy setting if you wish, and make it stick whether the users like it or not.

  10. Pierre
    Coat

    Lynx sucks

    Use w3m

  11. Anonymous Coward
    Dead Vulture

    Re: The Cube

    Mr. Cube. You express all of my thoughts exactly to a T. Very eloquent. Got any good LAMP jobs where I can work from home?

  12. Anonymous Coward
    Flame

    Seriously the time has come

    to disable all XSS. I don't know why anyone ever allowed this in the first place. Whatever the domain in the title bar of your browser - that should be the only domain that you browser can contact for that page - period. No cross domain iframes, and certainly no cross-domain javascript. Sorted.

    (queue flame war with people telling me all the useless shit that will break if we did that....)

  13. Pierre
    Flame

    @ Brent

    Disable XSS? Do you even imagine what shitload of useless crap that will break if we did that? An effing large shitload.

  14. Kanhef
    Boffin

    A possible clickjacking method

    Here's a bit of code I found on an actual web page (names changed, of course):

    <script language=JavaScript><!--

    document.write("<a href='mailto:[no_spam]' onMouseOver='s12()' onClick='return x12()'>"+"Thomas Anderson"+"</a>");

    function m12(){var l="@"; l=l+"matr"; l="derson"+l; l=l+"ix.net"; l="thomas.an"+l; return l};

    function s12(){status=m12()};

    function x12(){this.location="mailto:"+m12(); return false};

    //--></script>

    This creates a functioning mailto: link with the address shown in the status bar, while utterly thwarting spiders looking for email addresses to spam. However, it's easy to see how it can be modified to make a link that appears to point to one location, but switches targets when it's clicked on. It's too obfuscated to be caught by filters, so the only way to block it is to disable JavaScript entirely, which destroys the link.

    @Brent Gardner:

    A good idea, but there should be a (per-site) option to make it consider only the primary name. Many sites have several subdomains (foo.example.net, bar.example.net) for legitimate reasons, and they should be allowed to reference each other. Not all of them, of course (e.g. *.dyndns.org).

    Dan Goodin does have something of a point about plugins, and FOSS in general. Suppose Jane Random tries switching from IE to Firefox. How does she know to also download NoScript and Adblock, when she's never heard of them before? The typical user expects to install a program and have it work right away (perhaps after configuration with a setup wizard or included clear instructions). If it doesn't, they aren't going they aren't going to look for and search through support forums; they'll just get frustrated and go back to using their MS (or whatever) product. FOSS will not become truly mainstream until it reaches that point. Half the projects on Sourceforge have no documentation I've ever been able to find, and most of the rest assume you're already using and familiar with the software. I won't download something if I can't figure out what it does; how can you expect an average non-techie to?

  15. P. Lee
    Linux

    NoScript vs Zones

    Its been a long time since I've used zones in anger, but I had someone using vista ask for help the other day.

    It took me a while to work out that zone protection was killing scripts and causing problems. NoScript is much more "in your face" which makes it easier to manage, as far as I'm concerned. This probably isn't true for corporate environments, but I suspect an rsync cron job might fix that.

    There really isn't a good solution for everything, but for most sites (other than facebook) allowing the main domain allows things to run ok.

    Now if I could just get noscript to use a little less screen space for sites I've already configured...

  16. Jess

    @Seriously���the���time���has���come���

    Nice idea, except for the iframes bit. Scripts in iframes should be prohibited, rather than the whole thing.

  17. Anonymous Coward
    Anonymous Coward

    WTF......

    'Those who'd like to do so can simply set the Trusted Zone to Medium-High security (the same baseline as the Internet Zone's default setting in IE7) and disable the HTTPS requirement for Trusted Zone sites. Next, change the Internet Zone to disallow Java applets, active scripting, ActiveX and whatever else. Add trusted sites to the Trusted Sites zone as desired.'

    I'm a software engineer (albeit Linux) and even I don't understand this straight off.

    What's Joe Public gonna make of it?

  18. Anonymous Coward
    Dead Vulture

    Inaccurate description of attack, plus gratutitous FUD

    >"Because it exploits architectural flaws in the internet's core"

    No it doesn't. It exploits architectural flaws in the *browser's* core; to be precise, in CSS and HTML and their interactions when displayed in a browser.

    You can't clickjack in FTP, or IRC, or SSL. Nor can you clickjack someone who's using wget or telnet to fetch a web page over HTTP. Only something with a full browser engine in it can be clickjacked.

    >"Of course, as creator of NoScript - a security add-on for Firefox that offers important clickjacking protections not available in other browsers - Maone isn't the most non-partisan of commentators."

    WTF is this gratutitous personal attack doing in the article? He made a very basic statement of fact there, where is there any suggestion of partiality? Are you claiming that if he wasn't biased, he would have claimed that the tags would magically appear on websites without being put there by the owners? Was this some kind of misbegotten attempt at journalistic 'balance'? It seems a bit straining-at-a-gnat conspiracy-mongering to me.

    Oh, and a bit of mangled editing you might want to fix as well: there are a few words missing from

    >"updates Adobe made to Flash in October some but not all clickjacking exploits."

  19. Dave Coventry
    Coat

    @adnim, Re: Clickjacking

    Thanks for the clarification.

    Presumably the web page itself needs to carry the required Javascript redirection function? In which case, surely whoever inserts the Javascript into the webpage can ensure that the tags needed for the clickjack protection mechanism employed by this fiendishly clever plan are turned off?

    Or am I missing something?

  20. Anonymous Coward
    Unhappy

    It's all gone to pot!

    Face it, being the awful species we are, the environment is wrecked and the internet is fsck'ed. Just like living in a bad neighbourhood, you just just have to do the best you can and try not to draw attention to the fact that you are trying to protect yourself, with your bars-on-windows and gun hidden in the sock drawer!

    When it comes right down to it MS don't really care about the users, their monopoly is too big, they simply rename the problems so the shareholders sleep sound at night. People are trying to do the best they can with the tools they have, roll their own free fixes to "da 'net's" problems, SpyBot, Firefox, ClamAV, etc. If you need MS O/S for games, then install the cheapest version you can afford and remove all the pretend crud they put in it, then install some serious free security software, written by people who do genuinely care about their users!

  21. mechBgon

    "Serious free security software," eh?

    Quote: "If you need MS O/S for games, then install the cheapest version you can afford and remove all the pretend crud they put in it, then install some serious free security software, written by people who do genuinely care about their users!"

    Ironically, you can do more to secure Windows by using the built-in features of Windows, than by installing layer upon layer of free security software. If you want to build a security solution, that's the bedrock to build upon. If you'd like a suggested plan, see http://www.mechbgon.com/security . I have considerable malware-hunting experience, as well as sysadmin experience, and these suggestions have passed extensive "live-fire testing," so... horse, meet water.

    Quote: "I'm a software engineer (albeit Linux) and even I don't understand this straight off. What's Joe Public gonna make of it?"

    I agree that most people are not very good at following printed instructions. Would a YouTube video help? http://www.youtube.com/watch?v=kzj8_n8uMGg

  22. Dan Goodin (Written by Reg staff)

    @gratutitous FUD

    Anonymous coward, no conspiracy or FUD mangling going on here. Just disclosing that Maone is the creator of a product that competes with these Internet Explorer security measures and pointing out that security researchers with no dog in the fight agree with Maone.

  23. Big Bear

    NoScript vs Zones II

    Both of these require people to do things to allow potentially dangerous happenings, but at the end of the day the user can still break their system if they try hard enough! You can drop the Zone security level and run into problems, or you can click on a dangerous script and tell NoScript that it is allowed and cause trouble as well! The difference is that NoScript lets you selectively allow scripts whereas Zones are generic… but normal (i.e. not anyone here!) users won’t be able to tell which should be allowed and which shouldn’t, for example, this page (for me):

    Google-analytics not allowed

    Googlesyndication not allowed

    Quantserve not allowed

    Doubleclick not allowed

    EL REG allowed

    Normal users will look at the list and freak out and probably allow all of them “because the intarwebs were broke but after that they worked but summat happened and all my moneys in my bank is gone”.

    Unfortunately, there is no real way to fix this except for sitting there and watching them use their machines for a week and seeing what they do whilst building a list of allowed and disallowed materials. I built a machine for a friend and 6 months and showed them how NoScript works, and 6 months later had to fix the thing again from gratuitous allowing of everything…

This topic is closed for new posts.

Other stories you might like