Threat Center Security News Adobe Releases Clickjacking Advisory as Demo of Vulnerability Circulates
Adobe Releases Clickjacking Advisory as Demo of Vulnerability Circulates Print E-mail
Written by Rebecca Mints   
Wednesday, 08 October 2008 14:19

Adobe releases an advisory with workarounds for Adobe Flash Player to protect users from clickjacking attacks as the company prepares a patch. Security researchers Jeremiah Grossman and Robert Hansen recently raised red flags over clickjacking issues affecting all the major browsers, including Microsoft Internet Explorer and Apple Safari.


Adobe has posted an advisory to address concerns about clickjacking as it prepares a patch.


The advisory addresses a clickjacking browser issue that affects Adobe Flash Player's microphone and camera access dialog. If successfully executed, clickjacking allows an attacker to lure a Web user into unwittingly clicking on a link or dialog.


While clickjacking itself is not new, security pros Jeremiah Grossman, CTO of WhiteHat Security, and SecTheory CEO Robert Hansen sounded the alarm recently about clickjacking vulnerabilities that affect Adobe Flash Player and every major browser, Microsoft Internet Explorer, Opera, Mozilla Firefox and Apple Safari.


The two were initially supposed to make a presentation about their findings at the OWASP (Open Web Application Security Project) NYC AppSec conference in New York in September, but cancelled it to give vendors an opportunity to patch.


However, a clickjacking demonstration against Flash Player was released Oct. 7 by security researcher Guy Aharonovsky, and after reportedly getting the OK from Adobe, Hansen revealed more details about the issues he and Grossman found.


"First of all let me start by saying there are multiple variants of clickjacking," Hansen wrote on his blog. "Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn't. Some variants use CSRF (cross-site request forgery) to preload data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."


In its advisory, Adobe classified the issue as "critical" and reported that it is working to address the clickjacking issue affecting Flash Player in a future update. In the meantime, Adobe advises IT administrators to change the AVHardware Disable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. It also recommended users go to the Global Privacy Settings panel of Adobe Flash Player Settings Manager and select the "Always deny" button.




WTW Threat Level