A relatively new type of attack has been in the news lately, and it’s particularly bad because it’s subtle and, until recently, undetectable by most users. The attack is known as Clickjacking, and it involves legitimate web pages that have been hacked to include hidden links leading to various forms of malware. A user clicks on the injected code, which might be hidden using an invisible image or other technique, and bad things happen. Clickjacking can be used to do anything from installing malware on your machine to turning on your webcam’s microphone.

Happily there’s a solution, at least for Firefox users. Download the latest release of NoScript, a handy little plugin, and you’ll be protected from all known forms of Clickjacking. What NoScript does is to monitor the code that’s on the page you’re viewing. If it notices any suspicious scripts that might try to execute from untrusted websites, it disables them and notifies you of its actions (similar to plugins like AdBlock Plus).

As an added bonus, NoScript then shows you the offending content and gives you the option of effectively quarantining it forever or allowing it to execute. It also can make the hidden content opaque, so it’s visible on the page. This is a very powerful little tool, and hopefully all Firefox users will update immediately (that’s a hint) to the latest release.

What if you’re not using Firefox? Visit this article and you’ll be provided with all the currently available information about securing IE, Chrome, and Safari. Sadly it seems there’s no way at present to protect any of these browsers completely, but you can at least limit the potential damage by enabling various browser options.

Apparently other applications, like Flash, are also vulnerable to this type of attack. According to a recent PCWorld article other companies are working on patches to close these vulnerabilities.

Hidden content like this isn’t new, and sometimes it can be legitimate. You don’t want to globally disable all scripts on all sites. I couldn’t write this blog if I did that, since WordPress uses scripts. What you’re after is the ability to disable hidden content that references untrusted sites. NoScript’s ClearClick capability does that. It’s another tool in the arsenal, and definitely worth installing.

This entry was posted on Wednesday, October 8th, 2008 at 7:14 pm and is filed under Entertainment, Graphics, Security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.