A newly-announced exploit designed to exploit keyboard shortcuts provides yet another potential means for unwanted software to install itself onto your computer with a method known as keyjacking. The good news? The vulnerability is highly specific to one browser and hard to use efficiently.
Keyboard picture from Shutterstock
Italian researcher Rosario Valotta highlighted the technique last week. You can read the full details on his post, but the basic idea is this: if you can launch a file download within Internet Explorer, conceal it with some JavaScript and a pop-under window, and then persuade someone to type ‘R’ (the shortcut for Run within IE), you could execute a file without anyone realising.
How might you persuade someone to type R? The obvious tactic is to produce a graphic with a fake CAPTCHA starting with the letter R, while keeping the focus on the window below.
While that sounds like a potentially clever approach, in practice it might not work so well. Sophos security guru Paul Ducklin tried it out and found that IE blocked the download automatically with a security bar, which meant all the careful concealment amounted to zero.
Keyboard shortcuts are becoming less of a focus in browser development — most of the attention in recent versions of IE has been on touch development — so these tricks are going to be increasingly difficult to pull off. Nonetheless, it’s a reminder that potential risks exist everywhere.
Comments