"Potential vulnerabilities have been identified in Adobe Flash Player 188.8.131.52 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls," the bulletin states. "This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone."
Adobe recommends that affected users upgrade to Flash Player version 10.0.12.36. Flash Player 10 includes tighter security controls on content access across domains and a variety of other security-related changes.
The company plans to update Flash Player 9 in early November.
Earlier this month, Flash developer Guy Aharonovsky published a proof-of-concept exploit to demonstrate how the clickjacking vulnerability can be used to spy on people.
Clickjacking also can be used to direct user clicks to authorize unintended actions without the user's knowledge.
Clickjacking isn't a vendor-specific issue. According to Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, who identified the flaw, it's a broad cross-platform browser exploitation technique that affects multiple products. Thus, while Adobe's fix may prevent a clickjacking attack directed at Flash Player, users may still be vulnerable through their Web browsers or other software that they're using.
Echoing Grossman's advice on how to mitigate the risk of clickjacking, US-CERT suggests disabling browser scripting, plug-ins, and iframes until the issue is widely addressed, though this may make some Web sites nonfunctional. The NoScript Firefox plug-in provides an easy way to do this.