Adobe patches Flash clickjacking, clipboard poisoning bugs

Adobe Systems patched five vulnerabilities in Flash Wednesday, including one that could be used in “clickjacking” attacks to secretly spy on users through their webcams.

That fix, and others, were rolled into Flash Player 10, the new version of the popular browser plug-in the company launched earlier Wednesday. Previously, Adobe had promised Flash 10 would fix the clickjacking bug and another that has been used by hackers for more than a month to poison clipboards with malicious URLs.

“Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue that has been making news recently, and also includes a mitigation for recent clipboard attacks as well as other security enhancements,” said David Lenoe, Adobe’s product security program manager, in a short entry on the company’s security blog.

More articles on flaws and patches

Adobe also published a security advisory for the fixes included in Flash Player 10. “This update helps prevent a Clickjacking attack on a Flash Player user’s camera and microphone,” the advisory said.

Last week, Adobe warned users that attackers could use recently reported “clickjacking” tactics to trick them into giving a malicious site access to the computer’s webcam and microphone through Flash.

A pair of security researchers, Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security Inc., first discussed clickjacking, the term they gave to a new class of vulnerabilities, three weeks ago. At the time, they discussed the attacks in only general terms, as they had agreed to keep the technical information confidential at Adobe’s request.

Only last week did they break their silence, after Adobe gave them the green light when another researcher independently came up with proof-of-concept exploit code able to hijack a webcam through Flash.

The clipboard poisoning bug, which Flash 10 also patched, goes back nearly two months, when researchers reported that Flash-based ads were infecting Mac and Windows clipboards with URLs to attack sites. Hackers, said those researchers, were abusing Flash’s “setClipboard” command to poison the clipboards.

In September, Adobe acknowledged the vulnerability and said it would patch it in Flash 10.

“This update introduces changes to the Clipboard API that will prevent potential Clipboard attacks,” said Wednesday’s advisory.

Flash 10 also included patches for three other vulnerabilities, including a fix that blocks Flash from automatically downloading files.

Although Flash 10 is available immediately for Windows, Mac OS X, Linux and Solaris, users who don’t want to update will have to wait until next month for fixes, said Lenoe. “For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November,” he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now