Microsoft released Internet Explorer 8 RC1 yesterday with the usual big fanfare, and one of its main marketing punchlines is its “exclusive” clickjacking protection:

Microsoft Adds Clickjacking Protection to IE8 RC1

[…]
One major security update to block Web attacks known as “clickjacking” that the company said makes IE8 the only Web browser to offer such protection.
[…]
The security feature that thwarts clickjacking in IE8 RC1 allows Web-site content owners to put a tag in a page header that will help detect and prevent clickjacking. If a site that uses the IE8 tag detects clickjacking, it will give Web users an error screen letting them know that the content host has chosen not to allow that content, and gives them the option to open the content in a new window that is protected from the attack.
(PC World)

Microsoft IE8 Hits RC1 Milestone, Stops Clickjacking

[…]
RC1 also includes protection against “Clickjacking,” a ploy to get users to click on account buttons while covering the actual site being clicked on using a frame – the first browser available to counter this type of threat, Pratt said.
(PC Magazine)

Microsoft Goes After Clickjacking in IE8

[…]
While offering few technical details of its methods for stopping clickjacking, Microsoft appears to have not only tried to address the browser-based issues, but also sought out the help of Web site owners to make IE8 less vulnerable to the attacks.
[…]
Now, it will remain to be seen whether or not the features offered in the IE8 RC browser have an effect in preventing clickjacking attacks, but you have to give the guys in Redmond credit.
(Security Watch)

Hype aside, forgiving Microsoft’s habit of forgetting precursors of their “first and unique” technologies, what can we infer from the “few technical details”?

At this moment, Tue Jan 27 2009 15:20:49 GMT+0100, searching for Clickjacking on the Microsoft Developer Network I can find just 1 result, i.e. the Internet Explorer 8 Release Candidate Now Available IEBlog’s post, and it doesn’t give away any more juice:

We’ve worked closely with people in the security community to enable consumer-ready clickjacking protection. Sites can now protect themselves and their users from clickjacking attacks “out of the box,” without impacting compatibility or requiring browser add-ons.

Putting all these pieces together, IE8’s clickjacking countermeasure seems to be a “tag” (or a HTTP header, or both) which “web content owners” must attach to the page(s) of theirs to be protected.
So it’s not about users protecting themselves: “Sites can now protect themselves and their users”.
Ooops, we knew sites could already “protect themselves and their users” last week, last year or even one decade ago, and in a more or less browser-independent way too. That’s called frame busting, and it’s done with a simple JavaScript one-liner. Therefore my guess, documentation pending, is that IE8 “invented” scriptless frame busting. All the browser vendors have been discussing something like this even before the Clickjacking bubble, and it’s actually useful because:

  1. JavaScript-based frame busting is not always reliable, especially on IE (it works fine in Firefox 3, though).
  2. JavaScript-based frame busting does not work, quite obviously, if JavaScript is disabled for whatever reason, unless you’re using NoScript.
  3. JavaScript-based frame busting can be easily circumvented on IE by loading the targeted page inside an <IFRAME SECURITY=restricted> element. Ironically, yet another Microsoft non-standard extension to HTML, with security purposes this time, makes IE the only contemporary browser where “standard” frame busting is useless by design.

To sum up, there’s always been a well known and accepted server-side protection option which works everywhere except in IE. As far as we know, the newly proposed anti-Clickjacking tag or header (much like the “X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes” suggested as fix #1 in Michal Zalewski’s famous “UI Redressing” post and to ABE’s SUBdocument rules) offers an alternate option which, currently, works only in IE8 RC1. Funny how Microsoft can turn a weakness unique to their browser in yet another non-standardized feature to embrace and extend HTTP overnight! :)
But if a web site owner is skilled and careful enough to implement our brand new header (which again, while I’m writing these lines, is apparently undocumented), he will surely deploy the simple and understood JavaScript frame busting one-liner too, and every browser is equally protected.

Furthermore, the press choose the “Clickjacking” buzzword over the proper “UI Redressing” definition, probably to amplify its hype effect. But historically, the term “Clickjacking” has been invented to designate a Flash-based (or more in general embedding-based), not necessarily cross-domain attack. Does this “anti-Clickjacking” feature actually work against the “original” Clickjacking concept? Nothing suggests it does yet, but we’ll see… 2009-01-28 Update: now we for sure know IE8 RC1 offers no protection against plugin-based Clickjacking, as expected.

However, I do believe that a declarative approach to control subdocument requests is an excellent idea: otherwise I wouldn’t have included the SUB pseudo-method in ABE Rules Specification (pdf). Moreover, as soon as I’ve got some less blurry info (David Ross, I know you’re listening, why don’t you drop me a line?), I’ll be happy to immediately implement a compatible feature in NoScript and lobby Mozilla for inclusion in Firefox 3.1.

That said, the bad news for IE enthusiasts is that they’ve got no magic “out of the box” protection, despite the press releases I quoted. True, it doesn’t require any “browser add-on” (don’t you love how they managed again to avoid mentioning NoScript?), but it comes with an even more strict requirement: all the sites to be protected must already have adopted a new proprietary hack, i.e. something no end-user can verify, let alone enforce (so long for the “consumer-ready” label).
We’ve been preaching about XSS holes and other web programming errors for years, but developers still fall in the same pitfalls over and over again: if the guys in Redmond really believed that web security could be fixed server-side by just educating web authors, why did they eventually bother adopting those client-side anti-XSS filters which NoScript pioneered?

On the other hand, ClearClick protects you against any type of Clickjacking automatically, as soon as you install the NoScript add-on, with no need for web authors to learn and cooperate. ClearClick keeps working even if you allow JavaScript globally and/or disable all the other NoScript protection features, so you’ve got no excuse to dismiss it. Any reason yet not to switch to safer browsing?

Update

Microsoft’s David Ross sent me an email confirming that my “preemptive” analysis about IE8’s approach, intents and limitations was correct. A blog post by Eric Lawrence is on its way, explaining the technical details as an an “authoritative” source, but I guess the only information still missing is the real name of the header :)
About my stated intention of implementing a compatible feature in NoScript and lobbying Mozilla to do the same, he wrote

I think this would be fantastic and it’s a great place to start building some bridges.

I think so too.

Update 2 (2009-01-28)

Mistery unveiled: the header is “X-FRAME-OPTIONS: DENY” (I still prefer “X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes”, but whatever). Now that I’ve got “less blurry details”, NoScript’s compatibility feature is on its way, and I hope Firefox’s is too.

22 Responses to “Ehy IE8, I Can Has Some Clickjacking Protection?”

  1. #1 Meitar Moscovitz says:

    This was an insightful and informative post. Thank you! I saw the IE 8 RC 1 news regarding "clickjacking" and was immediately interested, but saddened at the lack of detail. You provided way more detailed comments than anywhere else I’ve noted. So again, thanks. That is all. :)

  2. #2 Giorgio says:

    @Meitar Moscovitz:
    nice to have you on board :)

  3. #3 buzz says:

    hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection?

    Putting all these pieces together, IE8’s clickjacking countermeasure seems to be a “tag” (or a HTTP header, or both) which “web content owners” must attach to the page(s) of theirs to be protected.
    So it’s not about users protecting themsel…

  4. #4 Ajnasz's Blog says:

    Internet Explorer 8

    A minap a Microsoft kiadta az Internet Explorer 8RC1-et, amit elvileg azt jelenti, hogy majdnem végleges verzió, tehát újdonságra már nem lehet számítani. Fejlesztőként nem kevés előítélettel töltöttem le és telepítettem Virtualboxom …

  5. #5 adam says:

    With the "ClearClick works even when you keep JS enabled for all sites," I have now begun using NoScript. I’ve been lurking your posts for a while, they’re very informative.

    I use AdBlock for most of my stuff (so I can blacklist ALL downloads, especially images, not just scripts/plugins)…but it won’t catch JS things like ClearClick will. Hopefully I see some cool clickjacking attempts thwarted!

  6. #6 Mike says:

    Giorgio, thank you for all the work you do. I think it’s clear that once again Microsoft is yelling, "Wait for us, we’re the leader!" as loud as they can. NoScript has done more to make the web safe than Microsoft ever has or ever will.

    Mike

  7. #7 Microsoft boasts 'out of box' IE8 clickjack protection | Gearone.in says:

    […] protection, despite the press releases” from Microsoft, security researcher Giorgio Maone wrote here. “All the sites to be protected must already have adopted a new proprietary hack, i.e. […]

  8. #8 IE8’s clickjacking fix not much help, experts say - All web resource stuff says:

    […] for IE enthusiasts is that they’ve got no magic ‘out of the box’ protection," he wrote on his blog Tuesday. "True, it doesn’t require any ‘browser add-on’ … but it comes with […]

  9. #9 Secure Korea : IE8, 클릭재킹 방지 기능 says:

    […] RC1에서는 클릭재킹 방지 기능이 소개됐는데 이 또한 작은 논란을 일으키고 있네요. 클라이언트 쪽에서 클릭재킹을 자동으로 막아주는 건 […]

  10. #10 Tommy Turtle says:

    Microsoft is the Bernie Madoff of software. They should be arrested for fraud by the US SEC (Securities and Exchange Commission), just like Madoff.

  11. #11 David Naylor says:

    Very interesting and informative. Thanks for shedding some light on this unique feature! :)

  12. #12 hackademix.net » IE8's "Clickjacking Protection" Exposed says:

    […] Ehy IE8, I Can Has Some Clickjacking Protection? 28 01 2009 […]

  13. #13 Clickjacking: Internet Explorer 8 non è immune, dicono - The New Blog Times says:

    […] Giorgio Maone, che di NoScript è l’autore, in un suo dettagliatissimo e circostanziato post nel suo […]

  14. #14 Fenixnordic Group » Blog Archive » Why IE8’s ‘ClickJacking’ Solution Won’t Help Most Users says:

    […] Giorgio Maone, the developer behind Firefox’s NoScript Add-on, explains "there’s always been a well known and accepted server-side protection option which works […]

  15. #15 hackademix.net » X-IFRAME-OPTIONS in Firefox says:

    […] I promised in my previous posts about so called IE8’s “Clickjacking protection”, some hours ago I released the […]

  16. #16 IE8.0 and Clickjacking « Covil Inc. says:

    […] sure you’ve heard about the new IE8.0 Clickjacking protection here, here and probably most importantly here on the IE blog. It’s probably time I explain exactly […]

  17. #17 La billeterie » Blog Archive » Clickjacking says:

    […] http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/ Convenience is number one factor in keeping browsers secure […]

  18. #18 Cross Site Scripting » Blog Archive » Hackademix.Net » Ehy Ie8, I Can has Some Clickjacking Protection? says:

    […] We’ve been preaching about XSS holes and other web programming errors for years, but developers still fall in the same pitfalls over and over again: if the guys in Redmond really believed that web security could be fixed …$anchor_text[$anchor_choice] […]

  19. #19 IE8.0 and Clickjacking | Secdefence.Com says:

    […] sure you’ve heard about the new IE8.0 Clickjacking protection here, here and probably most importantly here on the IE blog. It’s probably time I explain exactly […]

  20. #20 noam says:

    i installed a web application firewall- software solution. it protects layer 7, web applications. but how can i know if it protects also against clickjacking? http://www.applicure.com

  21. #21 Jeff Atwood says:

    "To sum up, there’s always been a well known and accepted server-side protection option which works everywhere except in IE."

    Um, no. And if you believe that framebusting can’t be defeated, then your users are going to get owned.

    http://www.codinghorror.com/blog/archives/001277.html

  22. #22 Giorgio says:

    @Jeff Atwood:
    My users are protected by NoScript :D

    Anyway, what about this one:

    if (top != self) {
    top.location.replace(location);
    location.replace(”about:blank”); // want me framed? no way!
    }

    Seen here ;)

Bad Behavior has blocked 4381 access attempts in the last 7 days.