Adobe patch thwarts clickjacking attack
Flash, bang, wallop
Adobe has published an update to its popular Flash Player software, addressing a much-publicised clickjacking flaw.
Clickjacking affects multiple applications (including browsers and media players) and creates a means for hackers to trick prospective marks into unknowingly clicking on a link or dialogue. Adobe Flash Player - specifically the microphone and camera access dialogue - was among the products affected.
Version 10.0.12.36 of Flash Player defends against the attack while also addressing a glitch involving interoperability with Firefox. It deals too with a bug in enforcing cross-domain policies that might be exploited by hackers to bypass security restrictions, as explained in an advisory form Adobe here.
The new version of Flash player also introduces a whole raft of new features, focusing on the ability to handle audio files, as explained in our earlier story here.
Adobe published a workaround to defend against the clicking flaw last week, promising a patch by the end of the month, so it's actually ahead of schedule in delivering a security fix.
The clickjacking issue rose to prominence after two security researchers, Jeremiah Grossman and Robert "RSnake" Hansen, cancelled a planned presentation on the class of vulnerability due to take place at the AppSec 2008 Conference in New York late last month. This created interest in clickjacking, and undoubtedly spurred a security blogger into creating a proof of concept exploit demo involving Adobe Flash in early October.
This, in turn, prompted Adobe to produce a workaround (temporary defence) and now patch. An overview of the full list of security improvements in the latest version of Flash can be found in an advisory from Secunia here. ®