LISTSERV 16.0 - MSUNAG Archives

Thanks for looking at that for Us Joe.  Some Infosec Professionals are
having their users to use Mozilla Firefox with the noscript add on.  

Unfortunately, some administrative sites here at the university may not work
with Firefox.   It seems kind of cumbersome to have users use one browser
for everything else but on certain sites use IE.  

LD


-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Joe Budzyn
Sent: Thursday, October 09, 2008 11:00 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Click Jacking Vulnerabilities

There is not a lot of good information available at this time.  From the
US-CERT, "Disabling IFRAMEs, active content, and plug-ins by default, as
outlined in the Securing Your Web Browser document, may protect against the
vulnerability. Note, disabling IFRAMES, active content, and plug-ins may
reduce the functionality of some websites."  This also turns off a good deal
of the functionality found in modern browsers and may or may not be an
option.

The real fix for this will have to come in the form of browser patches.

Joe
--
Joe Budzyn                               [log in to unmask]
301 Computer Center                      Ph: (517) 432-7448
Michigan State University
East Lansing, MI 48824

On Wed, Oct 08, 2008 at 01:49:23PM -0400, Lee Duynslager wrote:
> Is anybody out there conversant on click jacking vulnerablities.
> 
>  --US-CERT Issues Warning on Clickjacking (September 26 & 29, 2008) 
> Concerns about clickjacking, a cross-platform browser attack 
> technique, have prompted the US Computer Emergency Readiness Team
(US-CERT) to issue a warning.
> Until a fix is available, users can protect themselves by disabling 
> scripting and plug-ins in their browsers.
> The researchers who discovered the clickjacking vulnerability had 
> planned to present their findings at a conference in September, but 
> grew concerned about the technique's severity and chose to notify 
> vendors and allow them time to develop fixes.
> http://www.informationweek.com/news/security/vulnerabilities/showArtic
> le.jht
> ml?articleID=210604261
> http://www.computerworld.com/action/article.do?command=viewArticleBasi
> c&arti
> cleId=9115818&source=rss_topic17
> http://www.us-cert.gov/current/index.html#multiple_web_browsers_affect
> ed_by
> 
> http://ha.ckers.org/blog/20081007/clickjacking-details/
> 
> Source:  SANS NewsBites Vol. 10 Num. 78
> 
> 
> If so what conclusion did you come to and what did you recommend that 
> your users do?
> 
> Maybe the university's Info Sec Rep Could chime in on this one?
> 
> 
> LD