Warning To Disable Browser Plug-Ins

[Larwee]

A Web browser exploit technique called "Clickjacking" affects Microsoft Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox, and Opera.

Clickjacking makes it possible for an attacker to trick a user into clicking on content from another page. Because of the way it works, if a user clicks on a Web page, they may actually be clicking on content from another page.

At the present time there is no fix for the vulnerability. Users have been advised to disable all browser scripting and plug-ins until there is a solution.

Here is an article with more details 'Clickjacking' Attack Prompts Warning To Disable Browser Plug-Ins -- Web Browser -- InformationWeek

[Linda Buquet]

Shoot, the 1st time I read it I didn't see FF and thought whew! No really,
can't use any plugins??? Guess I'll go read it. Thanks Larry!

[Linda Buquet]

Dumb question, is the Google toolbar considered a FF plugin? Are all FF addons also considered plugins?

I disabled (not uninstalled) all my FF add-ons. Hope that's good enough and I don't need to uninstall them all. I also added the No-script plug-in.

HERE IS THE LINK TO THE NO-SCRIPT PLUG-IN.

I would be VERY careful not to install this plug-in from anywhere except Mozilla. I mean that's always the case - but especially with this one since everyone's recommending it you'll see scammers offering it and when you download you get a bundle of malware.

THANKS for that warning Larry. I've been having lots of tech problems with the new laptop I'm on. Don't need any more probs.

[Larwee]

The Google Toolbar plugin is a plugin.

Not everything is as clear as would be ideal. It looks as if it is being suggested that some security-related plugins (plug-ins) should not be disabled.

This is one of those things that is very important and people should spend as much time as possible trying to learn about it so they will be in a good position to deal with it. The sad thing is most people aren't going to be willing to take the time to give it the attention it deserves, but will spend much more time on things that aren't important.

Adobe Flash is also affected.

A few important points:

Quote:

The problem affects all of the different browsers except something like lynx.

Quote:

The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.

Quote:

the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Quote:

In the meantime, the only fix is to disable browser scripting and plugins.

Quote:

Web sites that attempt to be more secure end up being less secure with regard to clickjacking.

Quote:

sites that try to protect against cross-site request forgery end up making themselves vulnerable to this attack.

Quote:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.

Quote:

The only people who can fix this in a scalable way are the browser vendors

Quote:

It's not clear how serious the browser makers have taken the warnings

Here are three more very good articles that add some important additional information:

Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

Security researchers warn of new 'clickjacking' browser bugs

Firefox + NoScript vs Clickjacking | Zero Day | ZDNet.com

[Linda Buquet]

Whoa that last article has even the guy from noscript saying how scary this is.

Couple other important points to add to what Larry has above.

When running noscript, lots of things you do every day won't work. You'll have problems with this forum, online banking, etc. Online banking is especially crucial

I disabled iframes by instinct before I even knew what I was doing. But in that 3rd article of Larry's they really stressed it.

For 100% protection by NoScript, you need to check the “Plugins|Forbid IFRAME” option.

Also they said specifically DON'T turn off Javascript in your browser options then noscript won't work to protect you as it should.

Also with noscript there's an option to turn on a warning sound every time a script is blocked. I find that helpful and also a pain.

[Larwee]

Here is another thing that people should know. It does raise a lot of concerns.

Clickjacking can be used to hijack a computer's microphone and Webcam and create a malicious surveillance platform.

Stop and think about that for a moment and think of all the possible implications this could have. You think you have total privacy but you are being watched and listened to.

This article has details about this and suggestions on how you can deal with this very disturbing problem Clickjacking Attack Lets Web Sites See, Hear You -- Internet Security -- InformationWeek

[Linda Buquet]

Be careful out there - all you affiliates that work from home in your underwear!
Luckily I don't have a web cam, so don't need to worry about it.

[genuwine4532]

Wow, I am always in my underwear and sometimes less, THANK GOD I don't have a webcam.

THANKS SO MUCH for the info, all ready on it! Installing Noscript and disabling plug-ins.

Also, I believe in NOScript, you can designate trusted sites, such as this one, it will be a PAIN the ***, guess it will have to be one by one, but better than alternative!

THANKS AGAIN, YOU GUYS ROCK!!

[Linda Buquet]

OHHHHH so now we know why you are so productive!!! No clothes!

Noscript is really a pain. It will interrupt everything you do, but like anything once you get used to it it's not so bad. On trusted sites like this one you can mark it trusted and it won't bug you.

HOWEVER realizing that probably anyone that tries to exploit this is looking for some type of financial payoff, I'd be careful who I white list.

EXAMPLE - I trust Wells Fargo - but I'm not going to white-list them because that's where the bad guys are likely to strike. So you can just click the button to say temporarily allow all on this page or only allow certain features you need.

FYI I'm barely doing any banking online now. If I can do in person or by phone I will do it that way. I have my money spread across lots of banks now due to the economy, so it's a pain not using online banking to move my money around when I need to. But... I'd rather be inconvenienced than ROBBED!

[genuwine4532]

Quote:

Originally Posted by Linda Buquet

OHHHHH so now we know why you are so productive!!! No clothes!

[/b]

AND YOU KNOW THIS LINDA!!!

Yeah and you are totally right, it is a HORRID PAIN, but I am getting used to it all ready the NoScrpit interface is very user friendly, just a couple of clicks to allow pages.

I too love online banking, this SUCKS, I hope all these evil hackers ROT!!!