Adobe Flash Player Fix Stops 'Clickjacking'

Adobe recommends users upgrade to Flash Player version 10.0.12.36 to avoid bugs that could lead to an attack over Internet Explorer, Firefox, Safari, Opera, or Chrome Web browsers.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 17, 2008

2 Min Read

Adobe Systems on Wednesday released a security bulletin to address a critical vulnerability in its Flash Player software that could let an attacker spy on victims through computer-connected Webcams or microphones or dupe victims into unknowingly authorizing harmful actions on their computers.

"Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls," the bulletin states. "This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone."

Adobe recommends that affected users upgrade to Flash Player version 10.0.12.36. Flash Player 10 includes tighter security controls on content access across domains and a variety of other security-related changes.

The company plans to update Flash Player 9 in early November.

Earlier this month, Flash developer Guy Aharonovsky published a proof-of-concept exploit to demonstrate how the clickjacking vulnerability can be used to spy on people.

Clickjacking also can be used to direct user clicks to authorize unintended actions without the user's knowledge.

Clickjacking isn't a vendor-specific issue. According to Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, who identified the flaw, it's a broad cross-platform browser exploitation technique that affects multiple products. Thus, while Adobe's fix may prevent a clickjacking attack directed at Flash Player, users may still be vulnerable through their Web browsers or other software that they're using.

Echoing Grossman's advice on how to mitigate the risk of clickjacking, US-CERT suggests disabling browser scripting, plug-ins, and iframes until the issue is widely addressed, though this may make some Web sites nonfunctional. The NoScript Firefox plug-in provides an easy way to do this.

Read more about:

2008

About the Author(s)

Thomas Claburn

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

See more from Thomas Claburn
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Ethereum crypto currency coin in front of a screen
Cyberattacks & Data Breaches
MIT Brothers Charged With Exploiting Ethereum to Steal $25 MillionMIT Brothers Charged With Exploiting Ethereum to Steal $25 Million
byRobert Lemos, Contributing Writer
May 23, 2024
7 Min Read
Graphic of a brain with the letters AI next to it with lines of code as a backdrop
Сloud Security
Critical Flaw in Replicate AI Platform Exposes Proprietary DataCritical Flaw in AI Platform Exposes Proprietary Data
byElizabeth Montalbano, Contributing Writer
May 23, 2024
4 Min Read
A courtroom with several judges behind the bench and a screen projection showing two people in another court room
Cyberattacks & Data Breaches
Courtroom Recording Platform JAVS Hijacked in Supply Chain AttackCourtroom Recording Platform JAVS Hijacked in Supply Chain Attack
byBecky Bracken, Senior Editor, Dark Reading
May 23, 2024
2 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events