Adobe Systems Inc.
Adobe Systems Inc, issued an update to its widely used Flash Player Wednesday, blocking a known clickjacking issue as well as clipboard attacks that have been plaguing end users.
In a security advisory, Adobe said it released Flash Player 10, addressing a flaw that allows attackers to bypass Flash Player security controls. It specifically addresses clickjacking, which could allow an attacker to trick a user to unknowingly click on a link in a Web page. Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. released details of ongoing clickjacking attacks and how they affect multiple browser types, including Internet Explorer 8 and Firefox. The researchers said clickjacking has been a longstanding issue and very difficult for vendors to patch.
"This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone," Adobe said.
Adobe also issued a detailed review of the security changes it made to Flash Player and how they could impact existing content.
The latest version of Flash Player also changes a default setting which could break some content, according to Adobe. The new default sets meta-policy to master-only, giving an administrator more control over being used with a specific domain. "Policy files defined in alternate locations will require an explicit meta-policy for them to work," wrote Trevor McCauley, a quality engineer at Adobe Systems. McCauley said the new default should "prevent privilege escalation attacks against Web servers hosting Flash content and cross-domain policy files."
The update also addressed clipboard attacks by introducing a new clipboard interface. Older versions of Flash Player were susceptible to an attack manipulating the clipboard making it possible for an attacker to overwrite content in the clipboard, replacing it with new content. Flash Player 10 now forces the end user initiate contact with the clipboard through a button or keyboard shortcut.
The update also addresses a known port-scanning issue discovered by researchers. The issue allowed attackers to bypass security functions and obtain sensitive information and conduct port scanning to see whether a specific port is open or not.