Have you heard. IE 8 RC1 (Release Candidate) is out now. Just like the previous release, this time also MSFT had included a new feature names ClickJacking Protection.
Lets here what Wikipedia has to say about this.
Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
One of the most security vulnerabilities in the web-world is called Cross Site Request Forgery (CSRF). Preventing CSRF attacks is hard because there’s generally no easy fix. The browser architecture allows interaction & navigation between multiple sites simultaneously, within a page; which can be exploited by an attacker.
IE 8 Dev Team says, “ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction”. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user.
The simplest and most broadly-used mechanism to defeat ClickJacking attacks is called frame-busting.It works by simply preventing vulnerable pages from being framed. Since, a typical frame-busting mechanisms rely on script; it can be defeated in various ways.
The Internet Explorer 8 RC introduces a new opt-in mechanism that enables web applications to mitigate the risk of ClickJacking on vulnerable pages by declaring that those pages may not be framed.
How it works
Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a sub-frame, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.
When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking.
ClickJacking is an alternate scriptless way of performing Frame Busting. However, this technique becomes useless if the attach involves Flash applets and other kind of plug-in embeddings.
I came across a couple of articles claiming that ‘Experts’ believe this technique is not gonna lockdown the attack. But. I’m sure of one thing. At least, websites will use this Microsoft technology to prevent attacks, for their IE users.
For time being this is a good security policy. Let see what MSFT has ironing for the final release.
Good Luck, Redmondians.
Oh! forgot to say, I started using IE 8 RC1.
Reference: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
.
Posts
