Risk
10/16/2008
07:53 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Adobe (Somewhat) Fixes ClickJacking Vulnerability

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.Adobe Systems' latest Flash Player 10 software, released yesterday, fixes a number of security flaws, including the recently famous clickjacking attack, according to this Adobe blog post. But if you run into problems installing 10, you'll have to sit tight -- and remain vulnerable -- for a few more weeks.

Here's how InformationWeek's Thomas Claburn summed things up a week ago, regarding the clickjacking threat:

Details about the cross-platform browser exploitation technique known as "clickjacking" have started to emerge. Among the more alarming ways it can be used: covertly watching and listening to people who have microphones and Webcams attached to their computers.

"Web pages know what Web sites you've been to, ... where you're logged in, what you watch on YouTube, and now they can literally 'see' and 'hear' you," warned Jeremiah Grossman, founder and CTO of WhiteHat Security, in a blog post.

On Tuesday, Flash developer Guy Aharonovsky published a proof-of-concept exploit to show how clickjacking can be used to spy on people. "I've written a quick and dirty JavaScript game [to] exploit just that, and demonstrate how an attacker can get a hold of the user's camera and microphone," he said in a blog post. "This can be used, for example, with platforms [like Ustream.tv or Justin.tv] or to stream to a private server to create a malicious surveillance platform."

Grossman and Robert "RSnake" Hansen, founder and CEO of SecTheory, discovered the clickjacking technique, called "UI redressing" by some, and planned to discuss it at the 2008 Open Web Application Security Project USA NYC security conference last month. But the pair decided to delay disclosure to allow affected vendors time to address the issue.

It's important to note that clickjacking isn't specific to Adobe products, but they're widely used. Here's the link to Adobe's security bulletin.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.