New technology, which features in the release candidate version of Microsoft Internet Explorer 8.0, will not protect users from clickjacking attacks, say security experts.
Microsoft said it had developed "consumer-ready" protection against clickjacking attacks, which see special web programming used to trick victims into clicking web buttons without realising it. The attack is hard to pull off, but at its worst, clickjacking can do some very nasty things, such as execute stock trades on financial websites, change router or firewall configurations, or even force someone to download unwanted software.
The problem is so vast that security experts worry that Microsoft's approach, which works only when website developers add special tags to their pages that prevent their own web buttons from being misused, may end up giving IE users a false sense of security.
"It's not a solution to clickjacking by any stretch of the imagination. It's a vaguely mitigating factor for the very few people who use IE8," said Robert Hansen, CEO of the SecTheory consultancy, and one of the people who first reported the issue to Microsoft. "But it's interesting that they're taking it seriously."
While some websites will certainly use Microsoft's technology to prevent their IE visitors from being hit with clickjacking, there are simply too many other areas where HTML code is unlikely to be updated and hackers could launch attacks - targeting router administrative interfaces or corporate applications, or going after websites that have not gotten around to implementing Microsoft's fix.
"This is a solution which, even if everyone decides that this is the right way to do things, it still will take years and years of education," Hansen said.
- Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security products
- Visit Broadband Advisor for the latest internet news, reviews, tips & tricks - and to take advantage of PC Advisor's unique, independent Broadband Speed Tester
Worse, some users might mistakenly think they are protected from the attack just because they are using IE, according to Giorgio Maone, the developer of the Firefox NoScript plugin, which is generally considered the best protection from many web-based attacks, including clickjacking.
"The bad news for IE enthusiasts is that they've got no magic 'out of the box' protection," he said in a blog. "True, it doesn't require any 'browser add-on' ... but it comes with an even more strict requirement: all the sites to be protected must already have adopted a new proprietary hack, i.e. something no end-user can verify, let alone enforce."
NEXT PAGE: Protect yourself with NoScript