We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,018 News Articles

IE8 fix won't stop clickjacking attacks

Consumers not protected just by using IE8

New technology, which features in the release candidate version of Microsoft Internet Explorer 8.0, will not protect users from clickjacking attacks, say security experts.

Microsoft said it had developed "consumer-ready" protection against clickjacking attacks, which see special web programming used to trick victims into clicking web buttons without realising it. The attack is hard to pull off, but at its worst, clickjacking can do some very nasty things, such as execute stock trades on financial websites, change router or firewall configurations, or even force someone to download unwanted software.

Related articles:

The problem is so vast that security experts worry that Microsoft's approach, which works only when website developers add special tags to their pages that prevent their own web buttons from being misused, may end up giving IE users a false sense of security.

"It's not a solution to clickjacking by any stretch of the imagination. It's a vaguely mitigating factor for the very few people who use IE8," said Robert Hansen, CEO of the SecTheory consultancy, and one of the people who first reported the issue to Microsoft. "But it's interesting that they're taking it seriously."

While some websites will certainly use Microsoft's technology to prevent their IE visitors from being hit with clickjacking, there are simply too many other areas where HTML code is unlikely to be updated and hackers could launch attacks - targeting router administrative interfaces or corporate applications, or going after websites that have not gotten around to implementing Microsoft's fix.

"This is a solution which, even if everyone decides that this is the right way to do things, it still will take years and years of education," Hansen said.

Worse, some users might mistakenly think they are protected from the attack just because they are using IE, according to Giorgio Maone, the developer of the Firefox NoScript plugin, which is generally considered the best protection from many web-based attacks, including clickjacking.

"The bad news for IE enthusiasts is that they've got no magic 'out of the box' protection," he said in a blog. "True, it doesn't require any 'browser add-on' ... but it comes with an even more strict requirement: all the sites to be protected must already have adopted a new proprietary hack, i.e. something no end-user can verify, let alone enforce."

NEXT PAGE: Protect yourself with NoScript


IDG UK Sites

7 coolest 3D-printed objects: Body parts, houses, camera lenses and even pizza

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

Thinking robots: The philosophy of artificial intelligence and evolving technology

IDG UK Sites

Sharknado 2 VFX: how The Asylum created CG flying man-eating sharks