All the latest UK technology news, reviews and analysis
|
|
|
09 Oct 2008
Adobe has issued a security alert about its Flash software that is vulnerable to a practice known as 'clickjacking'.
Clickjacking involves subverting a web page so that when a visitor clicks on a link they are redirected to a site the hacker wants them to see. It is a variant of cross-site scripting attacks but appears to be more serious.
Details of the attack were due to be published at the OWASP NYC AppSec 2008 Conference but the talk was withheld at Adobe's request until a workaround could be developed.
Jeremiah Grossman, co-founder of Whitehat Security, and one of the researchers who uncovered the technique, said in a blog posting: "Let's be clear. The responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider.
"Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions in case the others don't do enough or anything at all."
Grossman warned that almost all browsers are vulnerable because of the way they process graphics, and only text-based browsers like Lynx are secure.
The researcher has demonstrated how a hacked Flash advert could be used to take control of a computer's webcam and microphone, for example, turning it into a surveillance device.
"With clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily," he said.
The US Computer Emergency Response Team has also issued a warning on the practice, and browser manufacturers are scrambling to come up with a method of defeating the attacks.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Salesforce.com Consultants, both Functional or Technical...
Enterprise Data Architect required by reputable Banking...
SSIS, SSAS, MDX, OLAP, OLTP, Data Warehousing, Data Modelling...
Specialist IT service provider is looking to recruit...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Flash Player workaround
To help prevent this issue, you can change your Flash Player settings as follows: 1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html 2. Select the "Always deny" button. 3. Select "Confirm" in the resulting dialog. 4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and/or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html
Posted by: ray marshall 09 Oct 2008