Today Microsoft released a patch for the “click-jacking” vulnerability announced by Robert Hanson in September. The issue, as you may remember, was that exploiting this vulnerability (in all versions of XMLHTTP but 3.0) allowed him to cause your click on a web page to be directed at anything he wanted. So you might have thought you were clicking a URL to http://securityblog.verizonbusiness.com, but you’d visit http://Ive_Got_You_Now_Sucker.com.

At the time of his announcement, we advised our customers that this issue is really nothing new. Criminals have been able to obfuscate what you were clicking on for many years, whether it be via masking the real URL with a fake display value, or using an image map to cause a click anywhere on a page to invoke their desired result.

Since we ask our customers to always consider risk, we explained how there was no new risk here. To be exploited, you still have to visit a criminally-controlled site. Whether that’s a good site with bad advertisements, or one that’s been completely compromised, it still has to be compromised and you still must click your way there. More importantly, this issue requires that you actually click on something…unlike so many others where simply visiting the page could cause a drive-by download to occur without the user’s knowledge. Ergo, this issue is even less likely to be abused. Further, at the time of disclosure, we weren’t aware of any sites that were actually attempting to exploit the vulnerability.

In other words, the risk landscape hadn’t changed.

So now there’s a patch for it, and the obvious question is whether this needs to be applied overnight, over next weekend, or over some other period of time. After all, Microsoft states it’s critical, right?

Well, to start with, anything to do with Internet Explorer, in our book, should be addressed within 30 days of its release…be that a patch, Service Pack, or whatever. Clearly that includes a component such as XML Core Services, given how many sites use it today. So 30 days should be your initial goal.

As to whether this warrants sooner adoption by the business community, simply ask yourself this: Do you have users who are being compromised today? If not, then this new vulnerability isn’t going to change that. If so, then here’s another way for those individuals to shoot themselves (and you) in the foot, so consider them your initial targets. In any event, we haven’t seen any changes in the risk landscape that suggest you need to spend overtime dollars on this patch (or MS08-068 which also came out today.)

Let us not forget that this vulnerability was disclosed as part of a talk given at a show where people paid money to see things…not as a result of some rampant bot-herder attempting to build a million-zombie army.

Tags: Computer Attacks, Information Security, InfoSec, Microsoft Security Bulletins, MS08-068, MS08-069, Patching, risk, Vulnerabilities

This entry was posted on Tuesday, November 11th, 2008 at 8:56 pm and is filed under Microsoft Patch Briefing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.