Risk
10/16/2008
07:53 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Adobe (Somewhat) Fixes ClickJacking Vulnerability

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.Adobe Systems' latest Flash Player 10 software, released yesterday, fixes a number of security flaws, including the recently famous clickjacking attack, according to this Adobe blog post. But if you run into problems installing 10, you'll have to sit tight -- and remain vulnerable -- for a few more weeks.

Here's how InformationWeek's Thomas Claburn summed things up a week ago, regarding the clickjacking threat:

Details about the cross-platform browser exploitation technique known as "clickjacking" have started to emerge. Among the more alarming ways it can be used: covertly watching and listening to people who have microphones and Webcams attached to their computers.

"Web pages know what Web sites you've been to, ... where you're logged in, what you watch on YouTube, and now they can literally 'see' and 'hear' you," warned Jeremiah Grossman, founder and CTO of WhiteHat Security, in a blog post.

On Tuesday, Flash developer Guy Aharonovsky published a proof-of-concept exploit to show how clickjacking can be used to spy on people. "I've written a quick and dirty JavaScript game [to] exploit just that, and demonstrate how an attacker can get a hold of the user's camera and microphone," he said in a blog post. "This can be used, for example, with platforms [like Ustream.tv or Justin.tv] or to stream to a private server to create a malicious surveillance platform."

Grossman and Robert "RSnake" Hansen, founder and CEO of SecTheory, discovered the clickjacking technique, called "UI redressing" by some, and planned to discuss it at the 2008 Open Web Application Security Project USA NYC security conference last month. But the pair decided to delay disclosure to allow affected vendors time to address the issue.

It's important to note that clickjacking isn't specific to Adobe products, but they're widely used. Here's the link to Adobe's security bulletin.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio