'Clickjackers' could hijack webcams, microphones, Adobe warns
It issues security advisory for Flash, but won't patch until later this month
Computerworld - Adobe Systems Inc. warned users Tuesday that hackers could use recently reported "clickjacking" attack tactics to secretly turn on a computer's microphone and Web camera.
Flash on all platforms is susceptible to clickjacking attacks, Adobe said in an advisory posted Tuesday. By duping users into visiting a malicious Web site, hackers could hijack seemingly innocent clicks that, in reality, would be used to grant the site access to the computer's webcam and microphone without the user's knowledge.
"This potential 'clickjacking' browser issue affects Adobe Flash Player's microphone and camera access dialog," acknowledged David Lenoe, the company's security program manager, in a post to Adobe's security blog.
Although a patch is not ready -- Lenoe said one would be issued by the end of October -- Adobe's advisory listed steps users can take immediately to block webcam and microphone hijacking. Adobe recommended that users access Flash's Settings Manager using a browser to select the "Always deny" option.
Adobe rated the vulnerability as "critical," its highest threat ranking.
According to Robert Hansen, one of the two security researchers who first raised the warning about clickjacking last month, Adobe will patch the bug in Flash 10, which already has been pegged for other fixes, including a flaw that's been used by attackers for over a month to poison clipboards with URLs to malicious sites.
Hansen noted that Macs are particularly vulnerable to the Flash clickjacking attack, since all recent Apple notebooks and desktop systems include built-in cameras and microphones.
At the same time that Adobe posted its advisory, it gave Hansen and his research partner, Jeremiah Grossman, the green light to reveal clickjacking details that they had kept confidential at Adobe's request.
Hansen posted a long entry to his blog that spelled out a dozen different clickjacking attack scenarios. Two weeks ago, when they provided only a general description of clickjacking, Hansen stressed that it was not a single exploit, but a new class of exploits.
Read more about Security in Computerworld's Security Topic Center.
- The State of Video Conferencing Security Video conferencing equipment, found in almost every boardroom around the world, may be opening up companies to serious security breaches. This paper explains...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!