Adobe Systems Inc.
Adobe Systems Inc, issued an update to its widely used Flash Player Wednesday, blocking a known clickjacking issue as well as clipboard attacks that have been plaguing end users.
"This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone," Adobe said.
Adobe also issued a detailed review of the security changes it made to Flash Player and how they could impact existing content.
The latest version of Flash Player also changes a default setting which could break some content, according to Adobe. The new default sets meta-policy to master-only, giving an administrator more control over being used with a specific domain. "Policy files defined in alternate locations will require an explicit meta-policy for them to work," wrote Trevor McCauley, a quality engineer at Adobe Systems. McCauley said the new default should "prevent privilege escalation attacks against Web servers hosting Flash content and cross-domain policy files."
The update also addressed clipboard attacks by introducing a new clipboard interface. Older versions of Flash Player were susceptible to an attack manipulating the clipboard making it possible for an attacker to overwrite content in the clipboard, replacing it with new content. Flash Player 10 now forces the end user initiate contact with the clipboard through a button or keyboard shortcut.
The update also addresses a known port-scanning issue discovered by researchers. The issue allowed attackers to bypass security functions and obtain sensitive information and conduct port scanning to see whether a specific port is open or not.