A new vulnerability that affects all browsers--yes, ALL browsers--has been the subject of much discussion and patching in the last month. Not heard about it? We hadn't either until recently, making us think that perhaps this is being kept as much under the radar as possible while patches for browsers and other software are being worked out. But it's out there, and you need to be aware of it.

A new cross-browser exploit technique called "clickjacking" is now being investigated by US-CERT (United States Computer Emergency Readiness Team), after public reports that this new technique was out there. Read more about it here:
http://www.us-cert.gov/current/index.html#multiple_web_browsers_affected_by

According to US-CERT, "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable." Disabling scripting and otheractive content may help mitigate some of the problem, but it will severely cut down on your ability to browse the web, as this means that most sites out there these days will not run.

PC Magazine blogs also have an article about it:
http://blogs.pcmag.com/securitywatch/2008/09/all_major_browsers_vulnerable.php

The PC magazine article links to another site with more information:
http://ha.ckers.org/blog/20080915/clickjacking/

And here's some of the ugly details as of October 7:
http://ha.ckers.org/blog/20081007/clickjacking-details/

An article on ZDNET describes it thusly: "In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx [Editor's note: Lynx is a text-only browser].  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening." (http://blogs.zdnet.com/security/?p=1972 )

What we also found in some research on this was this article, describing how some ads done in Adobe Flash were being used to hijack your computer's clipboard and launch  malicious code:
http://blogs.zdnet.com/security/?p=1733&tag=rbxccnbzd1

Should you be concerned? Unfortunately, the answer is YES. If you're using Firefox 3, you can use the NoScript add-on (https://addons.mozilla.org/en-US/firefox/addon/722 ) to block most of the problem. "NoScript" will in almost all cases prevent clickjacking attacks. Be cautious about the sites you visit, don't click on Flash ads or play Flash games for now, and keep your browser and other online tools updated as patches for these items come out.For other things you can do to protect yourself and/or your website:
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

In truth, every site is vlnerbalt to at least some degree to some sort of attack--if a hacker really wants your site, he'll get into it one way or another according to this blog entry:
http://ha.ckers.org/blog/20081012/apocalyptic-vulnerability-percentages-fud-101/

It may be a while yet before the problem is fixed, be very cautious in the meantime.