Adobe has posted an advisory to address concerns about clickjacking as it prepares a patch.
The advisory addresses a clickjacking browser issue that affects Adobe Flash Player’s microphone and camera access dialog. If successfully executed, clickjacking allows an attacker to lure a Web user into unwittingly clicking on a link or dialog.
While clickjacking itself is not new, security pros Jeremiah Grossman, CTO of WhiteHat Security, and SecTheory CEO Robert Hansen sounded the alarm recently about clickjacking vulnerabilities that affect Adobe Flash Player and every major browser-Microsoft Internet Explorer, Opera, Mozilla Firefox and Apple Safari.
The two were initially supposed to make a presentation about their findings at the OWASP (Open Web Application Security Project) NYC AppSec conference in New York in September, but cancelled it to give vendors an opportunity to patch.
However, a clickjacking demonstration against Flash Player was released Oct. 7 by security researcher Guy Aharonovsky, and after reportedly getting the OK from Adobe, Hansen revealed more details about the issues he and Grossman found.
In its advisory, Adobe classified the issue as “critical” and reported that it is working to address the clickjacking issue affecting Flash Player in a future update. In the meantime, Adobe advises IT administrators to change the AVHardware Disable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. It also recommended users go to the Global Privacy Settings panel of Adobe Flash Player Settings Manager and select the “Always deny” button.