Adobe Flash Player Fix Stops 'Clickjacking'

Adobe recommends users upgrade to Flash Player version 10.0.12.36 to avoid bugs that could lead to an attack over Internet Explorer, Firefox, Safari, Opera, or Chrome Web browsers.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 17, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Adobe Systems on Wednesday released a security bulletin to address a critical vulnerability in its Flash Player software that could let an attacker spy on victims through computer-connected Webcams or microphones or dupe victims into unknowingly authorizing harmful actions on their computers.

"Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls," the bulletin states. "This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone."

Adobe recommends that affected users upgrade to Flash Player version 10.0.12.36. Flash Player 10 includes tighter security controls on content access across domains and a variety of other security-related changes.

The company plans to update Flash Player 9 in early November.

Earlier this month, Flash developer Guy Aharonovsky published a proof-of-concept exploit to demonstrate how the clickjacking vulnerability can be used to spy on people.

Clickjacking also can be used to direct user clicks to authorize unintended actions without the user's knowledge.

Clickjacking isn't a vendor-specific issue. According to Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, who identified the flaw, it's a broad cross-platform browser exploitation technique that affects multiple products. Thus, while Adobe's fix may prevent a clickjacking attack directed at Flash Player, users may still be vulnerable through their Web browsers or other software that they're using.

Echoing Grossman's advice on how to mitigate the risk of clickjacking, US-CERT suggests disabling browser scripting, plug-ins, and iframes until the issue is widely addressed, though this may make some Web sites nonfunctional. The NoScript Firefox plug-in provides an easy way to do this.

Read more about:

2008

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights