Sunday, October 12, 2008

Clickjacking -- and a fix

There has been a lot of talk this week about a newly discovered vulnerability in all modern browsers running under any operating system, including all versions of Microsoft Windows, Linux, BSD, and Mac OS X. Called clickjacking, it's a means of hijacking (redirecting) clicks on links within browsers:
Computerworld article or http://tinyurl.com/3rmfac

Fortunately, a useful fix is available. I have recommended the use of the Mozilla Firefox browser for quite a while. It runs on Windows, OS X, BSD, and Linux. The important information here is that Firefox supports add-ons -- plug-ins that add useful features. That's where the solution comes from; it's yet another reason to (mostly) abandon Microsoft's Internet Explorer under Windows.

I am a long-time user of the NoScript add-on for Firefox, which blocks scripts (which are usually JavaScript-based) from running in the browser -- unless you allow it on a per-site basis (easily managed). It has just been updated to add useful protection against this very vulnerability.

Managing add-ons in Firefox is pretty easy. Go to the Tools menu in the menu-bar top-of-page, select Add-ons. When the dialog window opens, enter noscript in the search box near the top of the window and install the add-on from there. There may be other useful add-ons of interest to users; see the Firefox add-ons page for more information, including the ability to browse add-ons by category.

No comments: