Adobe addresses Flash Player 'clickjacking' flaw
Published: 16 Oct 2008 12:53 BST
Adobe has addressed a security flaw in its Flash Player products that could lead to 'clickjacking' attacks.
Flash Player 10, released on Wednesday, includes a fix for the clickjacking vulnerability published by researchers Jeremiah Grossman and Robert Hansen earlier this month. Clickjacking attacks take advantage of vulnerabilities in Adobe Flash Player 9.0.124.0 and earlier, as well as vulnerabilities in browsers such as Internet Explorer, Opera, Firefox and Safari. Exploitation of the flaws could allow an attacker to disguise website elements, such as dialogue boxes and links, so that the user is fooled into visiting malicious websites.
"Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue," wrote Adobe product security programme manager David Lenoe in a blog post on Wednesday.
The Flash Player 10 update also helps prevent a clickjacking attack on a user's web camera and microphone, according to an Adobe security advisory. This variant of the attack could allow eavesdropping.
The update contains four more security fixes, including a mitigation against clipboard attacks and a fix for a port-scanning issue. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November, according to the advisory.
On Wednesday, Adobe also published a security advisory for Flash Creative Suite 3 Professional, warning of a potential flaw that allows an attack using malformed SWF files. Flash Creative Suite 4, released on Wednesday, and Flash Player products, are not affected by this issue.
Did you find this article useful?
6 out of 6 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
