Now we can be "clickjacked"

[Syxx_Killer]

http://news.yahoo.com/s/nf/20081008/bs_nf/62355

As if adware, spyware, viruses, trojans, homepage hijackers, and other malware weren't enough. Now we can evidently be clickjacked. All I want to do is browse the web without worrying about which of the numerous cases mentioned above I can get infected with. Is that too much to ask?

[SUBMAN1]

Simple solution - run Firefox and install noscript and adblock on it. Then no worries for you on any of these exploits.

-S

[SteamWake]

Did you even read the article?

Quote:

Clickjacking has been identified as a vulnerability for the Adobe Flash player, as well as for every major browser, including Firefox, Internet Explorer, Opera, Safari and even the newly released Google Chrome

Meh... its an adobe issue anyhow.

[Task Force]

Then dont use Adobe for anything, even games.

[SUBMAN1]

Quote:

Originally Posted by SteamWake

Did you even read the article?

Quote:

Meh... its an adobe issue anyhow.

Yes, and no script script blocker will block it. Try it already.

-S

[Task Force]

So it will affect Mac too.

[SandyCaesar]

Looks scary, but I have to agree with SUBMAN1. It's Flash-based...which means that NoScript should be able to stop it flat, unless you, for some reason, enable it. Or unless you're running IE/Safari/Chrome, but it's a fair bet that there'll be NoScript analogues for those browsers out soon, if not now.

[mookiemookie]

Quote:

Originally Posted by SUBMAN1

Quote:

Yes, and no script script blocker will block it. Try it already.

-S

Not quite:

Quote:

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with javascript:

• In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

http://blogs.zdnet.com/security/?p=1972

[SUBMAN1]

Quote:

Originally Posted by mookiemookie

Not quite:

Quote:

http://blogs.zdnet.com/security/?p=1972

Wrong answer. With NoScript, you control what goes in and out, and this includes Flash.

-S

PS. This should help you understand:

Quote:

The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

Basically, Flash or anything coming into or leaving Flash, or the browser for that matter, has to be allowed first and by default nothing is allowed. Load it already. You get to even control third party hooks into Flash. Make sense now?