Adobe has posted an advisory to address concerns about clickjacking as it prepares a patch.
The advisory addresses a clickjacking browser issue that affects Adobe Flash Player’s microphone and camera access dialog. If successfully executed, clickjacking allows an attacker to lure a Web user into unwittingly clicking on a link or dialog.
While clickjacking itself is not new, security pros Jeremiah Grossman, CTO of WhiteHat Security, and SecTheory CEO Robert Hansen sounded the alarm recently about clickjacking vulnerabilities that affect Adobe Flash Player and every major browser-Microsoft Internet Explorer, Opera, Mozilla Firefox and Apple Safari.
The two were initially supposed to make a presentation about their findings at the OWASP (Open Web Application Security Project) NYC AppSec conference in New York in September, but cancelled it to give vendors an opportunity to patch.
However, a clickjacking demonstration against Flash Player was released Oct. 7 by security researcher Guy Aharonovsky, and after reportedly getting the OK from Adobe, Hansen revealed more details about the issues he and Grossman found.
“First of all let me start by saying there are multiple variants of clickjacking,” Hansen wrote on his blog. “Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use CSRF (cross-site request forgery) to preload data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them.”
In its advisory, Adobe classified the issue as “critical” and reported that it is working to address the clickjacking issue affecting Flash Player in a future update. In the meantime, Adobe advises IT administrators to change the AVHardware Disable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. It also recommended users go to the Global Privacy Settings panel of Adobe Flash Player Settings Manager and select the “Always deny” button.
