The latest release of NoScript, version 126.96.36.199, will stop so-called “clickjacking,” where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program.
Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person's privacy or even worse, steal money from a bank account.
Unfortunately, clickjacking is possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages, Maone said. Nearly all Web browsers are vulnerable to a clickjacking attack.
“It's a very hard thing to fix because it's part of the very fabric of the Web and the browser,” Maone said.
The embedded content can be invisible but a person can still unknowingly interact with it. A clickjacking attack takes advantage of that by tricking a user into clicking on a button that appears to do some function but actually does something entirely different.
Clickjacking can also be accomplished by manipulating the plug-ins of other applications, such as Adobe's Flash program and Microsoft's Silverlight. For example, researchers in recent days have shown it's possible for a clickjacking attack to turn on a person's Web camera and microphone without their knowledge.
In an advisory on Tuesday, Adobe said it will issue a patch for Flash by the end of the month.
The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning message asking the user if they still want to click on it.
Maone said ClearClick will likely stop all clickjacking attempts. NoScript is only for the Firefox browser, so users of Microsoft's Internet Explorer — the most-used browser in the world — are vulnerable.
Web site owners, however, can take one step to prevent their users from falling victim, Maone said. Programmers can use a script on their Web sites that checks to see if a Web page is embedded in another page. If so, the script forces the good Web page in front, preventing clickjacking, Maone said.
The technique is called “framebusting.” Ebay's online payments service, PayPal, which is frequently targeted by cybercriminals, has already implemented framebusting, Maone said. NoScript will allow a framebusting script to run, Maone said.
“The best thing that can happen is that Web site owners start to think more carefully about security,” Maone said. “It is important that Web site owners spread the word that they should implement framebusting.”
Clickjacking is a serious, potentially long-term problem for browser developers. Since the attack is enabled by a feature within HTML, it demands changes to the HTML specification.
Web standards groups are currently working on HTML 5, a specification that will incorporate new features into the programming language to accommodate future Web design. But the standards process moves slowly, and changes to HTML could break existing Web pages, Maone said.
“For the user, I'm afraid there's no fix but NoScript for the time being,” he said.