Multimedia software maker Adobe announced this week that the company had released the latest version of its Flash Player software, closing several serious software vulnerabilities, including the flaw that allowed two researchers to circumvent the product's security with "clickjacking."
Two security researchers found the clickjacking issue last month while investigating methods of modifying a victim's user interface to force them to take an action desired by the attacker. Also known as user-interface redress and IFRAME overlay, the attack could cause a user to click on a button that takes an unwanted action, such as deleting e-mail or transferring money on a banking Web site, for example.
The Flash Player update, which upgrades version 220.127.116.11 and earlier to version 10.0.12.36, closes several software holes, including the one used by the clickjacking attack, and makes it harder for attacker to circumvent the security controls, Adobe said in an advisory.
"Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog," the company stated in its advisory. "This update helps prevent a Clickjacking attack on a Flash Player users camera and microphone."
In September, researchers Robert Hansen and Jeremiah Grossman planned to detail the threat of clickjacking at the Open Web Application Security Project (OWASP) AppSec conference in New York City, but canceled the talk at the request of Adobe. Clickjacking uses Web graphics to persuade a victim to click where an attacker wants on a page. The technique can be used by an attacker to hide a button or link on a legitimate page, such as a bank's account page or Web mail application, using other Web content to mask the page's context.
Adobe plans to release a version of Flash Player 9 in early November for customers that cannot upgrade to Flash Player 10, the company said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos