This week’s security threat: clickjacking.

Clickjacking is the latest in a series of security threats to web surfers. The United States Computer Emergency Readiness Team (US-CERT) issued a warning about clickjacking on September 26, and the news has spread quickly. This is a crime in which hackers hide behind harmless-looking websites so that people who visit them might be accidentally revealing sensitive information to the hackers by clicking around the site. Matt Hines of Security Watchdescribes it like this: “Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!”

Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. The ramifications of this sort of spying are powerful, and the industry is on high alert.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, discovered the vulnerability and were scheduled to speak about it at the Open Web Application Security Project NYC AppSec conference in New York last month. The talk was put off, however, until the various browser companies could take a stab at fixing the problem. There was no sense, after all, in tipping off hackers about the problem before there were solutions to be found.

So far, there is some success, albeit not as much as one might hope. The free Firefox add-on known as NoScript has been updated to combat clickjacking attempts. Italian developer Giorgio Maone calls the update “ClearClick,” meaning that it reveals anything that’s hidden or obstructed when a user tries to interact with a website. The ClearClick update stops the interaction from completing and points out the disguised content present, giving the user a chance to back away from the potentially-dangerous content. But NoScript only works with Firefox and other Mozilla-based browsers, so what about Adobe Flash player, Internet Explorer and others?  

Just the other day, Adobe released a workaround for the flaw in its Flash player in order to deny hackers access to web cams and microphones. They promise to release a true fix by the end of the month. US-CERT and others suggest disabling browser scripting and plug-ins on our individual browsers, but that can limit the functionality of many websites, and it’s still not a comprehensive fix. Joe Wilcox of Microsoft Watch notes that Microsoft’s reaction to the clickjacking threat has been somewhat tepid, but perhaps with reason. One difficulty with software companies and how they address the threat lies in the fact that so little information has been released; while that’s good for avoiding exploitation of the flaw, it’s not great for assessing the true risk (although US-CERT’s warning is dire enough to take clickjacking seriously). One thing everyone can agree on: The problem is real, but there’s no easy fix, at least for now.

Sources for this article: Yahoo! News, Computer World, PC Magazine, Adobe, US-CERT, Security Watch, Microsoft Watch