Adobe addresses clickjacking in latest Flash Player |
 |
By SearchSecurity.com Staff
15 Oct 2008 | SearchSecurity.com |
|
|
|
|
|
|
|
This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone.
Adobe Systems Inc.
|
|
|
|
|
|
|
|
|
|
Adobe Systems Inc, issued an update to its widely used Flash Player Wednesday, blocking a known clickjacking issue as well as clipboard attacks that have been plaguing end users.
In a security advisory, Adobe said it released Flash Player 10, addressing a flaw that allows attackers to bypass Flash Player security controls. It specifically addresses clickjacking, which could allow an attacker to trick a user to unknowingly click on a link in a Web page. Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. released details of ongoing clickjacking attacks and how they
affect multiple browser types, including Internet Explorer 8 and Firefox. The
researchers said clickjacking has been a longstanding issue and very difficult
for vendors to patch.
"This update helps prevent a clickjacking attack on a Flash Player user's
camera and microphone," Adobe said.
Adobe also issued a detailed review of the security changes it made to Flash Player and
how they could impact existing content.
The latest version of Flash Player also changes a default setting which could
break some content, according to Adobe. The new default sets meta-policy to
master-only, giving an administrator more control over being used with a
specific domain. "Policy files defined in alternate locations will require an
explicit meta-policy for them to work," wrote Trevor McCauley, a quality
engineer at Adobe Systems. McCauley said the new default should "prevent
privilege escalation attacks against Web servers hosting Flash content and
cross-domain policy files."
The update also addressed clipboard attacks by introducing a new clipboard
interface. Older versions of Flash Player were susceptible to an attack
manipulating the clipboard making it possible for an attacker to overwrite
content in the clipboard, replacing it with new content. Flash Player 10 now
forces the end user initiate contact with the clipboard through a button or
keyboard shortcut.
The update also addresses a known port-scanning issue discovered by
researchers. The issue allowed attackers to bypass security functions and
obtain sensitive information and conduct port scanning to see whether a
specific port is open or not.
|
|
|
|
