Adobe patches Flash clickjacking and clipboard-poisoning bugs

Computerworld - Adobe Systems Inc. patched five vulnerabilities in Flash today, including one that could be used in "clickjacking" attacks to secretly spy on users through their webcams.

That fix, and others, were rolled into Flash Player 10, the new version of the popular browser plug-in the company launched earlier today. Previously, Adobe had promised that Flash 10 would fix the clickjacking bug and another flaw that has been used by hackers for more than a month to poison clipboards with malicious URLs.

"Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue that has been making news recently, and also includes a mitigation for recent clipboard attacks as well as other security enhancements," said David Lenoe, Adobe's product security program manager, in a short entry on the company's security blog.

Adobe also published a security advisory for the fixes included in Flash Player 10. "This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone," the advisory said.

Last week, Adobe warned users that attackers could use recently reported clickjacking tactics to trick them into giving a malicious site access to the computer's webcam and microphone through Flash.

A pair of security researchers, Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security Inc., first discussed clickjacking, the term they gave to a new class of vulnerabilities, three weeks ago. At the time, they discussed the attacks in only general terms because they had agreed to keep the technical information confidential at Adobe's request.

Only last week did they break their silence, after Adobe gave them the green light when another researcher independently came up with proof-of-concept exploit code able to hijack a webcam through Flash.

The clipboard-poisoning bug, which Flash 10 also patched, goes back nearly two months, when researchers reported that Flash-based ads were infecting Mac and Windows clipboards with URLs to attack sites. Hackers were abusing Flash's "setClipboard" command to poison the clipboards, said those researchers.

In September, Adobe acknowledged the vulnerability and said it would patch it in Flash 10.

"This update introduces changes to the Clipboard API that will prevent potential Clipboard attacks," said today's advisory.

Flash 10 also included patches for three other vulnerabilities, including a fix that blocks Flash from automatically downloading files.

Although Flash 10 is available immediately for Windows, Mac OS X, Linux and Solaris, users who don't want to update will have to wait until next month for fixes, said Lenoe. "For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November," he said.