Posted tagged ‘IE8’

IE Only Offers Some Clickjacking Protection

September 23, 2011

It’s a given that you want to keep yourself safe from clickjacking scams. They’ve been known to cause all kinds of trouble. Not only do they post potentially embarrassing information to your social networking profile, but they can install viruses on your computer that will steal personal information that lets hackers commit identity theft.

You’d expect all Internet browsers to take this threat pretty seriously. After all, who would want to use a browser that exposes you to such a threat?

Unfortunately, though, some browsers are better than others at protecting you from clickjacking threats.

IE 8, for instance, looks for a tag that website designers use to prevent content from loading in frames. By getting rid of the frames, you solve a large part of the clickjacking problem. IE 8, however, relies on the website, not the user. That’s not very helpful for most people. If individual users had the option to say “don’t use any frames,” then they could rely on near-universal protection. When you leave it up to website developers, though, you’ve only offered help for those that don’t need it. If a website chooses to use the no frames tag, then they’re obviously not trying to clickjack visitors. That leaves things wide open for clickjackers that create sites specifically to attract victims.

This is the kind of protection that could actually cause more harm than good.

If nothing else, Internet Explorer should alert users when they have reached a page that does not protect them. Then the user can decide whether he or she wants to proceed. It would also encourage more web designers to include the tags when they build new sites.

Is IE8 protecting you from clickjackers?

May 19, 2010

When Internet Explorer 8 was released, it promised to contain security features that would protect users from clickjacking attacks. It is certainly helpful that Microsoft included some protection from clickjackers in IE8, but many security specialists have learned that the strategies are not completely effective.

In fact, IE8’s clickjack protection relies on the efforts of webmasters to secure their pages with special tags that create errors when clickjacking strategies are used. That means webmasters would not only have to go through the trouble of including tags in every page that they create, but also the millions of pages that already exist on the internet. There is basically no way that that’s going to happen.

Internet users, however, don’t have any foolproof ways to protect themselves. Many security specialists believe that a combination of Firefox and NoScript offers the best protection. Even that dynamic duo has its faults. In fact, every browser is susceptible to some version of clickjacking. If you want absolute safety, then you’d better not use the web at all.

If, however, you are willing to take a slight risk,  then you can use an updated web browser, frequently scan your system for malware, and pay attention to every link that you click. The best defense so far is common sense and skepticism. Using those tools, you can limit the amount of clickjacking strategies that you are exposed to.

Don’t knock on IE too hard

April 23, 2010

Those of us who use computers a lot and know a fair bit about how they work often find ourselves avoiding Microsoft products. There are several reasons for choosing operating systems, browsers, and software made by other companies, but my recent research has led me to believe that low security standards is not something that we can really blame on Internet Explorer’s developers.

Is IE open to clickjacking attacks and malware more than browsers like Chrome and Firefox. Well, that largely depends on what type of attacks we are talking about. In general, though, I have to say that I have had more problems using IE than other browsers. The problems, however, don’t stem from low security standards. Instead, they are a result of Microsoft’s market dominance.

Cybercriminals know that most people use IE, so they focus on attacks that can infiltrate that browser’s security standards. Of course there are plenty of people who use Firefox and Google Chrome, but the vast majority use IE. Recognizing this and focusing their efforts on IE security allows cybercriminals to dupe more people into installing malware and clicking on objects hidden in invisible frames.

The truth is that Microsoft has done a lot to prevent clickjacking attacks in IE8. You can learn more about the innovative steps that they have taken at the IEBlog. You might notice that the security protocols developed by Microsoft in 2008 are the same measures being used by other developers now.

What does this mean for Microsoft? It means that they have a difficult fight ahead of them. Staying at the top of the industry means that more hackers will concentrate on their products. Which in turn means that Microsoft looks like it has poor security options to many internet users.

I guess it’s hard to be on top. I feel some sympathy for Microsoft. At the same time, I also agree with critics who have cited the company’s non-competitive tactics as a reason that IE is a prime target.

I’ll continue using non-Microsoft browsers for the foreseeable future to give myself increased protection. After spending a few days reading about Microsoft’s security issues, though, I won’t be so quick to blame them for clickjacking attacks and maleware susceptibility.

Are Google Chrome Users Safe from Clickjacking?

March 12, 2010

Google claims that its web browser, Chrome, offers improved security for those surfing the internet. Google Chrome users, however, might not be as protected as they think.

Late last year, CNET reported that version 1.0.154.43 and earlier editions are vulnerable to clickjacking. You can read the original CNET news report here.

Google has acknowledged that there are some clickjacking security issues. Some individuals in the company have pointed out that clickjacking remains a significant issue for all browsers. The particular clickjacking technique that revealed Chrome’s vulnerability, however, was not effective against Internet Explorer 8 and Opera 9.63.

Firefox 3.0.5, however, was just as vulnerable to this clickjacking technique as Chrome.

Just because IE and Opera were not vulnerable to this specific type of clickjacking, however, does not necessarily mean that they aren’t susceptible to other techniques.

As is common in the world of security technology, companies keep making tougher products and criminals keep figuring out ways to break them. It’s an ongoing process. Even though there are security vulnerabilities with pretty much all web browsers, using the most updated version of your preferred browser will generally provide the tightest security.

Clickjacking presents a particularly difficult security issue for programmers because it takes advantage of the ways that web sites and the internet were designed to work. Perhaps it was an oversight made by early internet innovators, but it seems that we’re currently stuck with the problem.