Researcher: IE8 clickjacking protection will have no impact

More info from Microsoft doesn't change opinion of researcher who reported problem.

He still does, to some degree.

"I really think that the reason why they did this was because they wanted to be able to say that they have a clickjacking solution," said Hansen. "It's not so much that they were worried about clickjacking, but more to have a defensible position about what they are doing about clickjacking."

Microsoft, said Hansen, is caught in a bind. "IE lacks the kind of innovation you see in [Google's] Chrome or Firefox, and they're getting pounded from all sides," he said. "At the same time, they have to impress the gigantic companies that are using, in some cases, IE6. So when IT asks, 'What about clickjacking?' - now Microsoft can say they have something. And it's definitely a concept that can be communicated."

In the end, it may not even matter that much, said Hansen. "Clickjacking has not been proven to be effective in the wild," he said. "Proof-of-concept, yes, and I've come up with plenty of them. But we have never seen it in the wild."

But just as he wondered whether it was worth the trouble to implement any clickjacking defense, Hansen added that to do nothing could be very risky. "The trouble is that one-off exploits of a specific site are possible. [Hackers] can do it, and then they'd have carte blanche. And widespread attack would leave everyone with a very long exposure time because it would be extremely hard to do a global deployment of any defense."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags clickjackinginternet explorer 8

More about ExposureGoogleMicrosoft

Show Comments