Home > Security News > Adobe addresses clickjacking in latest Flash Player
Security News:
EMAIL THIS

Adobe addresses clickjacking in latest Flash Player

By SearchSecurity.com Staff
15 Oct 2008 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone.

Adobe Systems Inc.

Adobe Systems Inc, issued an update to its widely used Flash Player Wednesday, blocking a known clickjacking issue as well as clipboard attacks that have been plaguing end users.

In a security advisory, Adobe said it released Flash Player 10, addressing a flaw that allows attackers to bypass Flash Player security controls. It specifically addresses clickjacking, which could allow an attacker to trick a user to unknowingly click on a link in a Web page. Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. released details of ongoing clickjacking attacks and how they affect multiple browser types, including Internet Explorer 8 and Firefox. The researchers said clickjacking has been a longstanding issue and very difficult for vendors to patch.

"This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone," Adobe said.

SearchSecurity radio:

Adobe also issued a detailed review of the security changes it made to Flash Player and how they could impact existing content.

The latest version of Flash Player also changes a default setting which could break some content, according to Adobe. The new default sets meta-policy to master-only, giving an administrator more control over being used with a specific domain. "Policy files defined in alternate locations will require an explicit meta-policy for them to work," wrote Trevor McCauley, a quality engineer at Adobe Systems. McCauley said the new default should "prevent privilege escalation attacks against Web servers hosting Flash content and cross-domain policy files."

The update also addressed clipboard attacks by introducing a new clipboard interface. Older versions of Flash Player were susceptible to an attack manipulating the clipboard making it possible for an attacker to overwrite content in the clipboard, replacing it with new content. Flash Player 10 now forces the end user initiate contact with the clipboard through a button or keyboard shortcut.

The update also addresses a known port-scanning issue discovered by researchers. The issue allowed attackers to bypass security functions and obtain sensitive information and conduct port scanning to see whether a specific port is open or not.



Tags: Emerging Information Security ThreatsApplication Attacks (Buffer Overflows, Cross-Site Scripting)Patch ManagementVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts