Microsoft provided more information Wednesday about how Internet Explorer's new anti-clickjacking feature works, but one of the researchers who first reported the problem last year said it will have "zero impact" on protecting users.
Clickjacking is the term given last September to a new class of browser-based attacks that trick users into clicking on site buttons or Web forms. Such attacks essentially hide malicious actions under the cover of a legitimate site, and theoretically can be used to empty online bank accounts, secretly turn on Web cameras or even change a computer's security settings to make it vulnerable to additional attack.
In a post to the IE blog late yesterday, Microsoft program manager Eric Lawrence provided the first technical details of the new feature, which debuted in Internet Explorer 8 Release Candidate 1 (IE8 RC1), the preview launched Monday. According to Lawrence, the defense relies on Web application and site developers sending the browser an HTTP response header, dubbed "X-Frame-Options" to restrict how the page may be framed.
That's all well and good, said Robert Hansen, CEO of SecTheory LLC, and one of the two researchers who first warned of clickjacking, but it's not going to do much, if any, good in even the long run.
"It has to be done by the Web sites themselves," he said. "That's not exactly the greatest way to protect users."
As an illustration, he brought up "HTTPOnly," a flag that's been available to site and application developers for years. Designed and promoted by Microsoft, HTTPOnly protects Web "cookies" from malicious scripts.
"A great security feature, but it took years and years to be deployed by even one other browser, Firefox," said Hansen. "And still we have maybe .001% deployment of HTTPOnly, and then only on the biggest sites."
He sees the same dismal uptake in the future for Microsoft's opt-in on clickjacking. "There's value in it, to be sure, and it definitely provides some protection. Eventually, the number of people protected with grow, and then it will have some amount of impact. But now? It will have zero impact."
Although he declined to say how much he knew of IE8 RC1's anti-clickjacking feature before this week, Hansen did acknowledge that the technique was one that came up in his first conversations with a Microsoft's security expert he rousted out of bed last year. "One of the things he mentioned was this idea," said Hansen. "But I told him there were lots of sites that can't have this in the header and still work, so I dismissed the idea immediately."