Really scary exploit attack in wild, which affects all browsers under any desktop operating systems including MS IE, Linux, Apple safari, Opera, Firefox and Adobe flash. Any website that uses CSS, flash and IFRAME (used to serve ads) can be used to attack on end users. Attacker is able to take control of the links that your browser visits. From the article:
According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.
How do I stop Clickjacking under Firefox?
There are two solutions.
Option #1: Disable everything
Disable scripting and plugins such as flash and others for the time being under Firefox (except adblock plus or no-script plugin). I’ve no idea how to do this under IE or other browsers. Under Firefox clock on Tools > Add-ons > Select each plugin and disable it.
Shutdown browser. Next, remove Adobe flash from system using apt-get or from your directory. If firefox 3 installed at /opt/firefox/, change directory to /opt/firefox/plugins:
# cd /opt/firefox/plugins
Delete flash and other plugins files:
# rm *
This should work for other browsers too.
Option #2: Use Noscript To Stop Attack
Bonus option # 3: Use lynx
Lynx and other text based browsers are not affected by this exploit. Lynx is a free open-source, text-only Web browser. Recent version works under Mac OS X, All versions of Windows and UNIX like operating systems. You install lynx using apt-get or yum command:
# apt-get install lynx
# yum install lynx
- More info about clickjacking
- NoScript plugins
- Clickjacking demo / proof of concept demo (warning it will hijack your clipboard, to stop just close browser.)
- Clickjacking: Researchers raise alert for scary new cross-browser exploit