Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

Clickjacking: Researchers raise alert for scary new cross-browser exploit

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

So, what exactly is Clickjacking? This is from the recent OWASP (Open Web Application Security Project) conference:

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

Ebay, for example, would be vulnerable to this since you could embed JavaScript into the web page, although, JavaScript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.
Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

Source: http://blogs.zdnet.com/security/?p=1972

So, now that you are probably somewhere between concerned and frightened or scared, what the heck do you do about it? Forget about doing anything online anymore? Hardly. So I have a way out for you that involves using Firefox as your default browser, but with a few tweaks and two very specific and powerful plug-ins or add-ons to the browser.

Before we begin, remember that in the attacks discussed above the attackers are using scripts and iFrame attacks in order to get to you. Both can be effectively mitigated with solution I will outline for you below, complete with links for the browser and the add-ons and screen shots to help you set it all up.

If you are ready, we will begin.

Step 1

Go to http://www.mozilla.com/en-US/ to get Firefox 3. It is available for Windows (7.1 MB) Linux (8.7 MB) and Mac OS X (17.2 MB) Below is a screen shot of where you should be after using the link provided.


(click image to enlarge)

You will have to be logged on as an administrator or power user in order to install the program.

Click on the link matching your operating system, download and install the software by following the on-screen prompts. The install is straightforward and I suggest you use the standard install. Caution: if you do not uncheck the box to ‘Make Firefox your default browser’ during the install process, it will be your default browser from now on. I recommend making it your default browser and from now on only using Internet Explorer for Windows Update, Microsoft Update, Office Update or things that may specifically require it.

Step 2

Setting up Firefox

Launch the browser and then right click the top toolbar and choose ‘Customize…’

From here you see the Customize Toolbar console window as shown in the screenshot below


(click image to enlarge)

Here you can add the icon shortcuts you want by holding down the left mouse button and dragging the icon of your choice to the toolbar and then release the button. I recommend you add Print, Cut, Copy, Paste, New Tab and New Window.

Step 3

Now let’s change some settings for additional security.

On the top toolbar of Firefox, left click on ‘Tools’ followed by ‘Options’ and you will have a screen that looks like the one below


(click image to enlarge)

You start on the ‘Main’ tab and I recommend the settings shown in the screen shot.

Next, click on the ‘Tabs’ tab and you have the following –


(click image to enlarge)

Set it up as shown

Next, click on the ‘Content’ tab and you have the options shown below


(click image to enlarge)

I recommend using the settings as shown. Yes, I know Java and JavaScript are enabled, but we get to that later.

Next, click on the ‘Privacy’ tab and you have the view shown below –


(click image to enlarge)

I recommend using the settings as shown for maximum privacy, not maximum convenience.

Now, left click on the all-important ‘Security’ tab and you will see the view below-


(click image to enlarge)

I recommend the settings as shown, and set a strong master password to protect all your stored passwords. Then, left click on the ‘Settings’ button under the Warning Messages section and you have the view below –


(click image to enlarge)

I recommend using the settings as shown. Then left click OK on the ‘Security Warnings’ window.

Next, left click on ‘Advanced’ followed by the ‘Update tab and you have the following –


(click image to enlarge)

I recommend using the settings shown. Last step, click on the encryption tab and you have the following –


(click image to enlarge)

I recommend the settings shown

Step 4

Now for our two important Add-Ons for Firefox. First, go to https://addons.mozilla.org/en-US/firefox/addon/1865

And you have the following in your browser –


(click image to enlarge)

Left click on ‘Add to Firefox’ to install the add-on. Restart Firefox as instructed.

Step 5

Now we add the most important protection NoScript to Firefox. Go to
https://addons.mozilla.org/en-US/firefox/addon/722

You should have the following in your browser –


(click image to enlarge)

Left click on ‘Add to Firefox’ to install NoScript. Restart Firefox as instructed.

Step 6

You can add the icon shortcut for AdBlock Plus to your toolbar the same way you added other icons in step 2. Now we need to set up NoScript and we will be all set. First, locate the new NoScript icon in the lower right hand corner of your browser window, right click on it, and select options. You have a window as shown below –


(click image to enlarge)

Under the ‘General’ tab, I recommend the settings shown. For your next step, left click on the ‘Plugins’ tab and you should have the following –


(click image to enlarge)

I recommend the settings shown. Notice that we are blocking Java, Adobe Flash and iFrames with the settings shown. This will keep you very safe.

Now, left click the ‘Notifications’ tab and you should see the following –


(click image to enlarge)

I recommend the settings as shown. Next, left click the ‘Advanced’ tab and select ‘Untrusted’ and you have the following –


(click image to enlarge)

I recommend the settings shown. Patience – we are almost done. Now left click on the ‘XSS’ tab and you should have the following-


(click image to enlarge)

I recommend the settings shown. Now for our final step. Left click on the ‘Jar’ tab and you should have the following –


(click image to enlarge)

Use the settings shown.

Extra Protection –

If you would like even more security for your browser that will not slow things down, there are four more things you can add that I highly recommend. These additions are designed to enhance browser safety even more without slowing you down in the process.

A. The first addition is called FlashBlock. This extension blocks all Flash content in a web page from loading automatically and allows selective activation and whitelisting of sites. You get the extension here:

http://flashblock.mozdev.org/

You will want to install FlashBlock v 1.5.7.1 from the Web page. After installation, restart Firefox and then go to the customize toolbars as you did in step 2 above and add the FlashBlock icon to your toolbar. You can now control flash content on a site-by-site basis. You will, of course, have to remember to allow any desired flash content desired by using the new icon on the toolbar.

B. Out next addition is called Finjan Secure Browsing, and it offers the following:

· Scans the current form of a page as it is available on the Web now, in real-time.
· Detects malicious content based on code analysis, rather than using signatures like anti-virus products.
· Provides the most accurate page safety rating based on the actual page content, rather than database lookup of web address like URL filtering products.

It is also active with any search engine and analyzes the search engine page results to let you know the status of the page listed. You get it here:

http://securebrowsing.finjan.com/

Click the download button for Secure Browsing for Firefox and allow the install. Then you just need to restart Firefox and you are all set. Nothing else needs to be done, and you will notice a new Finjan icon on the lower right of the browser window that shows it is active.

C. Our next addition is called SSLBlacklist, which detects and warns about certificate chains that use the MD5 algorithm for RSA signatures. It will warn you if the secure site (https://) you are connecting to uses the insecure MD5 algorithm as the method for SSL encryption instead of the more secure SHA-1 or SHA-2 methods. You get this addition for Firefox here:

http://codefromthe70s.org/sslblacklist.aspx

Look for a link on the right side of the page listed as: sslblacklist – 4.0.30.xpi and simply click on the link and allow it to install. Restarting Firefox completes the installation

D. Our last addition is called Firekeeper.

Features of Firekeeper include:

• Ability to scan HTTP(S) request URL, response headers and body, and to cancel processing of suspicious requests
• Encrypted and compressed responses are scanned after decryption/decompression
• Privacy friendly - no data is send to external servers, all scanning is done on the local computer
• Very fast pattern matching algorithm (taken directly from Snort).
• Interactive, verbose alerts that give an ability to choose a response to detected attack attempt.
• A detailed view of suspicious response headers and body
• Event logging
• Ability to use any number of files with rules and to automatically load files from remote locations

You get Firekeeper here:

http://firekeeper.mozdev.org/installation.html

Windows users are looking for the download: Firekeeper 0.3.1 (alpha release)

As above, simply download, allow the install, and restart Firefox. Now you are all done and have a formidably secure browser at your disposal.

Conclusion

You now have a very safe and secure browser capable of letting you surf the Internet with some confidence for a change. It should also help you with on-line banking or other needed services while keeping you secure and your information private. As a warning, NoScript will be very ‘noisy’ at first until it learns your favorite sites and what you want to allow. The nice thing is that you will also be learning how much has been going on in the background without your knowledge in the past while you were on the Internet. At least now, nothing will be allowed to run unless you (the weakest link in your security settings) specifically allow it to.

If it helps you any as to whether or not to do this project, and if it is really worthwhile, the setups shown are what I have been using for years now, and they have both served me very well and prevented any major problems. And, trust me, with the research I am constantly doing I regularly have to visit some very dangerous sites.

I hope this paper and tutorial has been informative and helpful to you.

Until next time…..

Best Regards

Dave

[Top]