Clickjacking, or hijacking your clicks. What’s this new threat all about? Computerworld discusses this with “Robert Hansen, founder and chief executive of SecTheory LLC, and one of the two researchers who discussed the bug in a semi-closed session at OWASP AppSec 2008 on Wednesday.” Hansen explains that clickjacking is simply a way to add invisible buttons to web pages, that overlay real buttons, and when you click them, something unexpected happens.
Hansen gave an example: “Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. [The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”
Since clickjacking depends on JavaScript, Hansen says the only way to protect against it is to not use JavaScript. He recommends using Firefox with the NoScript add-on; if you use Safari, you can also disable JavaScript from the program’s Security preferences.
For now, the two researchers plan to release proof-of-concept code, but no attacks have been seen in the wild. We’ll be keeping our eyes open for this. If such attacks occur, it is possible that they be cross-platform, unless the underlying JavaScript is designed to only work on a specific platform.
MacFixit has a thread today about slow browsing caused by infections from the RSPlug Trojan horse, which Intego discovered last October. The article links to a thread on Apple’s forum, where a user found that slow browsing was caused by infection from this Trojan horse. Not all users who have slow browsing problems are infected, but infection can be prevented by using Intego VirusBarrier X5.
To sum up the problem, the RSPlug Trojan horse changes a user’s DNS settings, causing their computer to query a rogue DNS server. When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. If this server gets too many queries, however, it can be very slow, since it is not scaled for such traffic. At least that symptom will lead some users to learn that they have been infected.
The French newspaper Libération is reporting that some Mac Pros give off strange odors, which may be hazardous. They tell of a scientist who discovered, after using a new Mac Pro for ten days in February 2007, that his eyes, nose and throat were irritated. Apple changed the computer’s power supply, but the odors continued. They then exchanged the computer, but the new model had the same odor. The scientist contacted Greenpeace, who sent the computer to their Analyicta laboratory for tests. The Mac Pro gave off chemicals such as benzene and styrene, both of which are dangerous, as well as some derivatives of these chemicals.
Apple has, according to Libération, known about the results of this test since February of this year, but has said nothing to other owners of Mac Pros.
Apple has released updates for Java for Mac OS X 10.4 and 10.5, both of which contain fixes designed to resolve security issues. Both versions of the update fix a problem whereby “visiting a maliciously crafted website may lead to arbitrary code execution” and “untrusted Java applets [may] obtain
elevated privileges.” The 10.5 update also deals with a “limited ability of applications to use stronger cryptographic keys,” allowing Java to use 256-bit keys.
More information is available from Apple’s Security Updates page, and the updates can be installed via Software Update or downloaded here.
New versions of two web browsers were released today, both with security fixes as well as bug fixes. Camino 1.6.4 is “upgraded to version 1.8.1.17 of the Mozilla Gecko rendering engine, which includes several critical security and stability fixes.” And Firefox 3.0.2 patches two critical and two moderate vulnerabilities; the critical vulnerabilities are a buffer overflow and a privilege escalation. If you use one of these browsers, you should update them as soon as you can.
Intego has begun a strategic partnership with LaCie, the acclaimed vendor of high quality storage solutions. Intego will help ensure that Mac users around the world are protected in case of data loss by providing two powerful, user-friendly solutions to back up data to LaCie drives, starting with the LaCie 4big and LaCie Network Space in September 2008.
Intego will be providing two backup programs – Intego Backup Assistant and Intego Backup Manager Pro – that are derived from Intego’s award-winning Personal Backup X5, and will be bundled with LaCie’s products. Intego Backup Assistant will be included with all LaCie hard drives and some of its network storage devices, and Intego Backup Manager Pro will be provided with LaCie’s professional network storage devices.
For more information, read Intego’s press release.