Risk
10/16/2008
07:53 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Adobe (Somewhat) Fixes ClickJacking Vulnerability

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.

With the release of Flash Player 10, Adobe fixes a critical security vulnerability known as "clickjacking." But for those users who can't or don't want to update to the latest version -- well, they're out of luck for a while.Adobe Systems' latest Flash Player 10 software, released yesterday, fixes a number of security flaws, including the recently famous clickjacking attack, according to this Adobe blog post. But if you run into problems installing 10, you'll have to sit tight -- and remain vulnerable -- for a few more weeks.

Here's how InformationWeek's Thomas Claburn summed things up a week ago, regarding the clickjacking threat:

Details about the cross-platform browser exploitation technique known as "clickjacking" have started to emerge. Among the more alarming ways it can be used: covertly watching and listening to people who have microphones and Webcams attached to their computers.

"Web pages know what Web sites you've been to, ... where you're logged in, what you watch on YouTube, and now they can literally 'see' and 'hear' you," warned Jeremiah Grossman, founder and CTO of WhiteHat Security, in a blog post.

On Tuesday, Flash developer Guy Aharonovsky published a proof-of-concept exploit to show how clickjacking can be used to spy on people. "I've written a quick and dirty JavaScript game [to] exploit just that, and demonstrate how an attacker can get a hold of the user's camera and microphone," he said in a blog post. "This can be used, for example, with platforms [like Ustream.tv or Justin.tv] or to stream to a private server to create a malicious surveillance platform."

Grossman and Robert "RSnake" Hansen, founder and CEO of SecTheory, discovered the clickjacking technique, called "UI redressing" by some, and planned to discuss it at the 2008 Open Web Application Security Project USA NYC security conference last month. But the pair decided to delay disclosure to allow affected vendors time to address the issue.

It's important to note that clickjacking isn't specific to Adobe products, but they're widely used. Here's the link to Adobe's security bulletin.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.