Wednesday, October 08, 2008

Adobe Flash and Clickjacking

Adobe published a workaround for the clickjacking vulnerability illustrated in the demonstration described at ZDNet. If you do not use Firefox with NoScript updated to version 1.8.2.1 or have not disabled Adobe Shockwave Flash with WinPatrol, see the workaround published by Adobe. Adobe expect to issue a permanent fix before the end of the month.
Flash Player workaround available for "Clickjacking" issue
Release date: October 7, 2008
Vulnerability identifier: APSA08-08

Platform: All Platforms
Affected Software: Adobe Flash Player 9.0.124.0 and earlier

Summary:

Adobe is aware of recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential "Clickjacking" issue affects Adobe Flash Player. Adobe is working to address this issue in an upcoming update to Flash Player.

Solution Customers:

To prevent this potential issue, customers can change their Flash Player settings as follows:

  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the "Always deny" button.
  3. Select ‘Confirm’ in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

(Via Larry Seltzer in Adobe Releases Workaround For Clickjacking Attack.)








Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: