Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Adobe Releases Clickjacking Advisory as Demo of Vulnerability Circulates



 By: Brian Prince
2008-10-07
Article Rating:starstarstarstarstar / 3


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Adobe releases an advisory with workarounds for Adobe Flash Player to protect users from clickjacking attacks as the company prepares a patch. Security researchers Jeremiah Grossman and Robert Hansen recently raised red flags over clickjacking issues affecting all the major browsers, including Microsoft Internet Explorer and Apple Safari.

Adobe has posted an advisory to address concerns about clickjacking as it prepares a patch.

The advisory addresses a clickjacking browser issue that affects Adobe Flash Player's microphone and camera access dialog. If successfully executed, clickjacking allows an attacker to lure a Web user into unwittingly clicking on a link or dialog.

While clickjacking itself is not new, security pros Jeremiah Grossman, CTO of WhiteHat Security, and SecTheory CEO Robert Hansen sounded the alarm recently about clickjacking vulnerabilities that affect Adobe Flash Player and every major browserMicrosoft Internet Explorer, Opera, Mozilla Firefox and Apple Safari.

Resource Library:

The two were initially supposed to make a presentation about their findings at the OWASP (Open Web Application Security Project) NYC AppSec conference in New York in September, but cancelled it to give vendors an opportunity to patch.

However, a clickjacking demonstration against Flash Player was released Oct. 7 by security researcher Guy Aharonovsky, and after reportedly getting the OK from Adobe, Hansen revealed more details about the issues he and Grossman found.

"First of all let me start by saying there are multiple variants of clickjacking," Hansen wrote on his blog. "Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn't. Some variants use CSRF (cross-site request forgery) to preload data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

In its advisory, Adobe classified the issue as "critical" and reported that it is working to address the clickjacking issue affecting Flash Player in a future update. In the meantime, Adobe advises IT administrators to change the AVHardware Disable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. It also recommended users go to the Global Privacy Settings panel of Adobe Flash Player Settings Manager and select the "Always deny" button.





  Reader Comments: Adobe Releases Clickjacking Advisory as Demo of Vulnerability Circulates
>>> Post your comment now!
Flash Problem
Article would have been MUCH better if it provided CLEAR instructions in how to temporarily fix the problem pending the release of the patch!
Posted At: 10-13-08
By: Anonymous
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks㶲qU'S-Ķ|,8-EAc!)ۚrkG2xjl n4?;;o$rC g8(OaߧGLz$y6}oI#*rdxC5rJԲ|W7RՇnc3P/w`w?a"[Y| tjGta@]2x4tL|hes/cߨW`&`1\!qF٨XC< tסyG`nFNMI 1jjw{ RM7JzQߨ+AQSVT\ju#I-Lcv=ӧH0ВF^8rrnNgSK׺nw[:p|n!|#9ĠVPAbJe+4Ztܜ<_rܴ/O;7]rֹ&OVI3p+?f'k׏`Ck'^ĻE[CCm0Mߑj!1|9}jI>OHN,N/z۾Bdu#$ 7{R(a0̱o>0@|sH`6dʱ(|˺rN~cE'ԃ6kiB! )B!aJ`ukf5r'@̀kfkPXD`k4R 9lb )6K .ƃ]M){IK2_Vʂ-ɿE7h+dԌөﲢ$ɛ!"ˆG9x0|!XsPHQ&NUIR]E6\a>Usٹ>jY]V'dauIUiCozcZ)^u.tv["#}fw͂i 4SO:OМMݶ!9N: N+/6G$ 47P}HG:QI$ p|g-z9ԙ0鋥*ԇRmPCGA :!v|3c)мy&na13CJ{7t t4/fO`^@Z9`88ʬ E81O!>{0sD;ݴiǀxt83(.aHoe˕F }*@FHC}N4"BQF T * gsGǰEFN@@7O$^KI-\fD˛Oq$;cJX.QYlp[/ rRdZ0U 򃜈<"`*ˑe*0pMSx6Vn۠oJJ]*5TIkBk42 0suy=֐4a  [X' :' 5$&.a*byJrǞs,ChNP ]Ǻd׃ J+VL(A\^XPaN&]lRԴa81 հ|ChCeBC`>.{ktX uXu[\wıa弇d:.kpn>>{BLnaDpI.3Ҫ||=Ꭴm4@>zS.z8 9r!M5kb$ӠCfO 6q^i.c˺r+dfYWQ^dћA/-MB[+ 2T%{ N-JƗZZ"JM;P>WL"HEɣ%ue2L:;6R>Wl(`R55 Kb 5EkXgܲ*PP~0mn(V f3ثSq;zE>]>[Ogah=Jeǝ8~S SO4,Ffj9Y[ |7@'˖X e*9t5u{qs;_vZŽtٔzүhVpva>2fÑiHuߴIF̫eU-АJY)jycl ؑq,Yri T*gXs>QȺ='+JuѦɅi@s@MaV3pPU+@1"N9/Lu/V#/;O1]F>1 $DcTe6f LT_P-x8cJD%hTTJ&S4Zл@y{0$t`m>(epF,`^\|<> B K'"VcEsÖYCÖW۔Ђ [и|XT=ߤm[&ХCizxhm~؇J9C!%PPo?EjZXdžVQr^R*oVXˆ)3K c ._nz7gOo(Z3Tx+}x䣋 l*`Ȳ|͘ZմdxTfv#1hh 05-dqCUʾ_Yi7{}h#R2A="8q vt: ZJB5?k*:s5ѺMsls K39S"nLt@-'A&GtE;8*B7Xl["+۝>,s0/$ ,3 㪧RV*"5@V 3ˁ㚆/3OSq<^gTU{My RfL,)Cjn>,0t&☆`B'8,y܊58e1 Se3* ~^`.JMԍ TADB#+}tǞ>1p Fu4z1H=ʧb DuQT4j7 \vN9^̣زo7i ތmcr[ y|rP-,sKiʌg _|p]f)uyzā5C/4Cw▴Fyq )3k[qm'KZ&ԔuXlʪV;P%X봚kEI= OL>31h+Q.ˤ̛oggk]4}3݀,,<|͙}}CϔɹT)iZ l[-W+w; 1 s81^RQ"Y@rrZTU+|2(R|"!C-c'dq<:N~+ϐ& \ٟ8x~sɖBx_I5|gapvO++7A48'C vWyVS{[ $}8$ESu.{Y} aw};Wn\V:jЋﵲR^ieԾ^JNeB&{fB, 8{ubw} ɾW2j/K׼mv: 72wDH4r:E}R|Is޹W}ْ:W֓!u'R9!pUV:fSڌ6N#zzqaKD8 m̀@ c\94c-Ig Vay8aVﬨ!/+.4|㿜Y^uppF e(n1xA\|j]9R;PE3pq*hwevޜ,Hy9Yi@ybZӽM3BJ$cζˤFė4 zyR#AxqXt!}6PגR4\һoeU! 0>9G3`e5>¸*CA=( ;hWNՃĎ;S f'm(=rkx$NdQ:ZZ1 ?nWZ7\hta|c|۷=3F'5L;hF>'cv-Q7&mx9l} HKi8P.V#w)k9,9X1t vU`_Dr1NyH,ʼnCg61CN;#^4/?>&-X_ |2$ߓT-Н> .5yՅ' ;sW]'䂉~+nnbOf0ߊ'{)S^{vO n4]9hn耇vdLc!I )V:Uvv7}ʜ9%++w|72e (o(P2tI rG3`ȞxqK]gӇ4/3W"~o'y ~W*]ۧPHݧwx_b<-\*s\~㚨p;D98y^]8DqD%y#Y!0N آ]Wg ?&hL Zxm` ܭHPy89n7z M(KLv>5"No91D4?{Z (Ō\kkHU8\}'KHEߏ,:#HbZA-$ 5[0g<8Qw6S( ÷2dg@#X ӊ)5@ðͼ1sxC^'b9aØ}q &]]Wa4s/b &.0-=3pe!P,uyQ?,eFQEjigUqtXT}~dbϡb9PwOpw#JJ_B<'GϨ~A~_qhO%U^]UjOJq 8e!q cʗ:ސg>+&CVm6Oyz&~M @} )ThQbx9zbפ+͏^eê-BLjiNLd{1"!c9t>NWc3жG΃*9 !Z>]E u*2x(#[or7ŗ71G(+wRZ$ΎRW,HAf2>;34& X:xjIj53rk>/:$̅v}|hv1J_ r(;z9Xco1z>>>>j}h=6/vKtrm7 жhbZ`CHEzxd0h'@WR?'=c=ڴmxߛPI-K(05CxKע! zKMN,D8$ }}=.B4l=mk-VI}W֔TSC +4Ί~53q-h) ` ;2Kd۱%ؾfZTOKx]ұ KD]ٯ~7~lxtGy}Xz lwXO3H {I}Ck9C3Mapd}΍'PK"†C?ڬ[Ҙhpt|q|=+J]C:ewBV" k^Wv=5)sO|jlGMj7t } h cn)Us=itV%v 묟m}64?M+QVZ+T#uG9ihgf_s-ot/,~ @w" +lrҫ?HO*MAwW! KjŽ;X+5O3i`w 'pP ikxwwd6ֆ1]^Im Zn7i6`W۰8ư:TϊBF50]GV@9KArY+VBˬe#1=Լʇ'$c ~u2{ ʬkb8$Q3 ƹH?\.a5s+x(șY0G@=\1Bb>8\BO=3:;Ds]' ^"6{T_ݷ8,4(?ִ̋oe=I>ZI7m&f)Zbz8S7o@.h #!T7bO~oiwT608{I?xэ}e_+ })V'ӢCt<1JʩaӐt9Acݕڿ`7ݰ 06${u"߼?aC)|k2E[LAoSu&%F[gwD'?MD)`G%&B7Կ I¢ZtOm 2E/sG@Mr~~ *Ɲ@ rϏ!tPQ֌rc[a>oSUk1}!M[ţKp}U Cqqa"{W$9p0LX8ۉ",pZ8M䄲eh@H]YLa!-(!-D/naIzŃB& sψ$v\9a8ڊbI|>l@`j/ &"lRK!8AXJrܘEPa C_ye!5PFPxQiLxSZzH0lsq̩Tl/v(BAdғRtwĘ}؋b>>m^aηv鮥R^(]{LcB_87|oe5Foq{u >d!ә$^tci*pM[.{=r'z(Lϱz sđjuNў7/,9)t?~fZ-j5FG0 ,̏ΓALL`sAum08 Rq`/1K=9rl5 hQ=W/_ŌV\>dF5mF&sJ_%Ƙѕ xb1bFզɝ$`xg u/_\}ģbA)z(ZAkb>ҾpM;q~ܒ.tba,@+>-A &=^FS^(&EeRWG_ 6fVFZQ1G)|/}!㏙Gd&$p4`G3;$%nX{+$ʼOII P46:>jݴZ?#=4u=oz.ZxX2 嵉DO]k6x x'x|֐D ]TVZA3 Bx7tP l9m1qЅֽ'&_҇h:LZS4eenFˮr1p}A~b ̀ lnZvFaF(<"mG=.nrj&[v œ5"td1u24G#>CTD:%L۰flELNςB KmGɧN1r T-uC@a=Q#3(- Os@uTP"]ΰ"@ g o#!\%%n4Wp=9qYla48 3zq"tU-g8ԭ 6t<`q f1pRp\jAN:5/@}X:ϜX\ @qǹԔ0^`!@<Plt4'<( ;t7LXzwbACfp)4fԪRSB`j_)5C [DUf]W.O!cYݬe/cǟ$\iBR. ?h$-GF쎆}dQ ȽO|TBz،X\{ݾ;j^]&gk$g׭~<\z%9nwnoWj[uss}ٺn_X#X0kyl21^ Β^9l^28SKs!Yx9K x5< /ELyx&N)I{`J /!jbTձaa_m)o^]- YWG>tɉ3̐:o}jQ#=|*lPC#W\qPt"v[筓\rGJk%ꋲs !_!׌kȿ^Jmfw [ 88me@3Y~CgG>C;w>};jfCCL2#݌ϐy}9?πO}e"c" >" \/2yA@UFk 2 ># a|2 )7{A7MF7@7\$)cf5pv%s_gK"~)+Pg!* g 촏:ZmU+?3_u3̵T_W'Bh\jzr+*޲iUviAư[x.Q^/TZ+ޤgA=wE6a+E&Ь-'hވu]f= gE%aIY-0'Ut{2ٹWޕ\~UfE+tj1&ϋR<=s֌?群 Md|2Oty'WxK53b]$ul71-dt WJ%ʎ$JxK*8-C})L9 H|\k֊,#!1苄I Mc {Vj͙*q9w0\,AOd=:vzM¨7bFdtN[a&i_1QFӾ"]ǚ X?(-҄)Նqt,c =?Gbd<㠃Ռ]#|F+3௚F3qyU (p6d+D~$Z1=ĺKlCt|n{Djcb~` [BI<şZAy|TLlsDo )@AekA/?iwأWhD۱x&%mY dv.ymhE*6\z|$4|R/Xw|6(68|%K' ϻyHj(tۆ?P & 1&,ڎL[ U|ٲsp0Ŵ¡ѶZ B>ԼQֺ%鏘6X}B҄!>S /RNy(s*>`H6A1<[Z~{Tчee d|%_OxƮ~[axs%d9m<` G&$߀*0to^}>ZQ[tERb0yN&݊~0FĦ2]|R8mLepNRc ΋;53_O[;P?Ba1\XdGx +xϷ;<v; sg'+_<ұE>v/-(Ǭ yJ^Q.u tleb @JA wvǰYD!Ƨ7OЧUHF> T.9ϝn̯4H"<-ǝ8SG>Ճ |@dZU>8֐=μA5|ylR$|C]Ay@~փ!gnh]ۄ68L] l&j4b>Y{& LW{څ$hxb6;|,݀bZ"ND׊rI)9O.*DH6c?pftO@íō]^g"!\0}ّ>s/AĂ+<"e}%Ix+)/,π.ȟ --@V$_DG!. 'sk] NS}9"7O~ݽ:d`"ne_O~]Tb1Zʹ~i~buE`D7bYL;)~ax82C^t]cdu b0=vV͠ .VALaK럢g'}Cԅ|X|=#bŒfC-(ru0!v'xkk^'=^8j}C@c7 Xg{G ؂gj@ L(o,!)A_/0JQ)5h_Urn?GctRnm$t~R_>0x@__> n> }EM9e2B0#a7oϦ A,_:nq}/U'P"4!bOu( ^&?H%ޏʉ%nOYtYؠCMam_|]>\RQ=p""4\A., ,'sIoɻʸHt!-⚰YYnTA"`5EgwHRMՄ}Kv%frhhja{Z0TJ^Vܴ{BmH" :oSCt_:lȻU,}zQgHU]iwZ1 o1qJ4ĄH,sV _BfKšTX9p7o"%Oc ӽ%

`QrO|YG&'49的R[ Ɯ3:II !R4Ɲ7>(厫6]wϳJAj|l3ɱ t+y_HFYIx~"0ȅ3x4!h@+>P&"8J8 ܡ}N^zURW^%ϻ kx+|v7ؘ`H[64R9l's{쪭$C+qd̬;rX4eɗ!wŔ/J]ƁV+VʁO PiW2%)b4 ္?X:VPVh2ڎ# %lS{&-xŕ= `rvz![$|Za2{u.{Y}PShJh^¸^Fk0RJ+Ll47'aJ x