This week, we will go through two recently discovered exploits. DoubleClickjacking is a browser-based vulnerability that affects major websites and a flaw in Microsoft’s LDAP that could lead to DoS attacks.

A new Clickjacking threat identified

A new exploit named “DoubleClickjacking” enables attackers to bypass existing clickjacking protections on major websites. Security researcher Paulos Yibelo discovered that this technique manipulates users into executing unintended actions through a double-click sequence, circumventing defenses like the X-Frame-Options header and SameSite cookies.

Clickjacking, or UI redressing, deceives users into clicking concealed elements, leading to unauthorized activities such as malware installation or data theft. DoubleClickjacking advances this by exploiting the brief interval between two clicks. The attack unfolds as follows:

1. A user visits a malicious site that opens a new window or tab, possibly mimicking a CAPTCHA verification.
2. The user is prompted to double-click to proceed.
3. During the double-click, the parent site uses JavaScript’s Window Location object to redirect to a malicious page, such as one approving a rogue OAuth application.
4. The top window closes, causing the user to unknowingly authorize the malicious action.

Yibelo emphasizes that traditional defenses are inadequate against this method. To mitigate such vulnerabilities, website owners should implement client-side solutions that disable critical buttons by default, activating them only upon detecting genuine user interactions like mouse gestures or key presses. Services like Dropbox have adopted such measures. Additionally, Yibelo suggests that browser vendors develop new standards similar to X-Frame-Options to counteract double-click exploitation.

This discovery follows Yibelo’s earlier identification of “cross window forgery” or “gesture-jacking,” where users are tricked into pressing keys like Enter or Space on malicious sites, leading to unauthorized actions on platforms like Coinbase and Yahoo!.

Browser threat TL;DR

The “DoubleClickjacking” exploit tricks users into unintended actions during a double-click, bypassing protections like X-Frame-Options and SameSite cookies. Discovered by Paulos Yibelo, it redirects users to malicious pages approving unauthorized actions. Mitigation includes client-side protections to disable critical buttons by default and new browser standards. This builds on Yibelo’s earlier “gesture-jacking” findings.

Active Directory critical vulnerability discovered

A critical vulnerability in Microsoft’s Active Directory, CVE-2024-49113, poses a significant threat to Windows servers. This flaw resides in the Lightweight Directory Access Protocol (LDAP), essential for directory services in Active Directory environments. If exploited, it allows attackers to execute denial-of-service (DoS) attacks, potentially crashing multiple unpatched Windows servers simultaneously.

Microsoft’s December update has resolved the issue. However, despite the patch, concerns persist that many organizations have not yet updated their systems, leaving them exposed. The flaw is particularly dangerous because it can be exploited remotely if a domain controller’s DNS server is connected to the Internet. Additionally, there is potential for remote code execution (RCE) through this vulnerability, escalating the risk beyond simple service disruption.

Security experts emphasize the urgency of applying the December patches to mitigate this threat. Unpatched systems remain vulnerable to attacks that could disrupt operations by crashing servers or allowing unauthorized access. The availability of exploit code increases the likelihood of threat actors attempting to leverage this flaw. Organizations should prioritize updating their Windows servers and domain controllers to protect against potential exploits targeting this critical vulnerability.

LDAP vulnerability TL;DR

A critical Active Directory vulnerability (CVE-2024-49113) in Microsoft’s LDAP allows remote denial-of-service (DoS) attacks and potential remote code execution (RCE) on unpatched Windows servers. Addressed in December’s updates, many systems remain exposed, risking server crashes and unauthorized access. Organizations are urged to apply the patches immediately.

Keep confidential data safe

These stories showcase the vulnerabilities of major websites and authentication platforms that malicious actors can exploit. For insights into protecting your company and customer data at the endpoint level, contact us today.