Adobe releases an advisory with workarounds for Adobe Flash Player to protect users from clickjacking attacks as the company prepares a patch. Security researchers Jeremiah Grossman and Robert Hansen recently raised red flags over clickjacking issues affecting all the major browsers, including Microsoft Internet Explorer and Apple Safari.
an advisory to address concerns about clickjacking
as it prepares a patch.
The advisory addresses a clickjacking browser issue that affects Adobe Flash
Player's microphone and camera access dialog. If successfully executed,
clickjacking allows an attacker to lure a Web user into unwittingly clicking on
a link or dialog.
While clickjacking itself is not new, security pros Jeremiah
CTO of WhiteHat Security, and
SecTheory CEO Robert Hansen sounded the
alarm recently about clickjacking vulnerabilities that affect Adobe Flash
Player and every major browser-Microsoft Internet Explorer, Opera, Mozilla
Firefox and Apple Safari.
The two were initially supposed to make a presentation about their findings
at the OWASP (Open Web Application Security Project) NYC AppSec conference in New
York in September, but cancelled it to give vendors
an opportunity to patch.
However, a clickjacking
demonstration against Flash Player
was released Oct. 7 by security
researcher Guy Aharonovsky, and after reportedly getting the OK from Adobe, Hansen revealed
about the issues he and Grossman found.
"First of all let me start by saying there are multiple variants of
clickjacking," Hansen wrote on his blog. "Some of it requires cross
domain access, some doesn't. Some overlays entire pages over a page, some uses
Some variants use CSRF (cross-site request forgery) to preload data in forms,
some don't. Clickjacking does not cover any one of these use cases, but rather
all of them."
In its advisory, Adobe classified the issue as "critical"
and reported that it is working to address the clickjacking issue affecting
Flash Player in a future update. In the meantime, Adobe advises IT
administrators to change the AVHardware Disable value in client mms.cfg files
from 0 to 1 to disable client Flash Player camera and microphone interactions.
It also recommended users go to the Global Privacy Settings panel of Adobe
Flash Player Settings Manager and select the "Always deny" button.