The Channel Wire

October 08, 2008

Adobe Systems issued a security advisory Tuesday to inform users about a clickjacking hack that is affecting their software and provided a word around to shore up user vulnerability. The clickjacking tactic allows unauthorized users to turn on the microphones and cameras on users personal computers.

Adobe issued a statement on their Website letting users know that they are aware of the vulnerability that is affecting all versions of Adobe Flash Player, and issued advice to prevent the threat.

The Flash player weakness was categorized as critical by Adobe.

The blog ha.ckers.org explains the vulnerability on their blog.

"First of all let me start by saying there are multiple variants of clickjacking," states the blog. "Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

The flaw with Adobe's software can be addressed by users by changing Flash Player settings. First, users need to access the Global Privacy Settings panel in the Flash Player Manager. Follow the link and select the "always deny" button then confirm the settings in the dialogue box that will appear.

Users will no longer be allowed to allow or deny camera or microphone access after making these changes. However, selective access can be selected by users who go to the Adobe Website.

IT administrators can change the AVHardwareDisable value in clients mms.cfg files from 0 to 1 to disable Flash Player camera and microphones, Adobe states on its Web site.

While the clickjacking vulnerability fix is currently in a work around stage, Adobe is aware of the problem and is promising to address the issue in an upcoming Flash Player update, currently scheduled for release before the end of October.