Another Day I

30. January 2009

Both a long day and a term of school work just finished for me. Now I am just awaiting the next one.
In the meantime I’ve been reading about clickjacking on untrace.de. I had to laugh when Benni wrote that he was not able to reproduce the exploit on the Internet Explorer. I mean its rendering and ECMAScript engines are so bad that they even fail to even run beneficial code not to mention malicious ones.
I had to face so many issues while developing this site, eg. the Internet Explorer 7 is not able to handle basic margin collapsing. Still there is the good news that Microsoft is going to iron out many of their sins with the release of the Internet Explorer 8. It even looks like that the Internet Explorer 9 is going to be a browser that users could actually voluntarily use:

  • There is no official roadmap for IE9, but native SVG support is likely.
  • A new JavaScript engine is likely down the road, too. A user asked: “Almost all others browsers are now considering JavaScript compilation. Safari introduced SquirrelFish and last week SquirrelFish extreme in reaction to V8. Mozilla has also started working on ScreamingMonkey. Will IE9 have a new JavaScript engine?” The response: “We’re certainly focusing heavily on improving Javascript, in IE8 and beyond. I’d expect to see great things here in the future.” (from wired.com)

The future does not look that bad.

But to come back to the topic of clickjacking:
Basically you detect where the users mouse is and when the user is about to click you just put a invisible link under the mouse pointer.

I think that the vulnerability is amazingly simple. Since I use NoScript for several years now it won’t be a issue for me, but I see the power behind it. Redirecting websites you trust to malicious ones can be a powerful tool to exploit your wallet and identity, together with XSS and social engineering.

Another reason to use brain.exe at a daily base. The most powerful tool when it comes to security.