News View
Important: Please upgrade Flash
10-17-08 16:49
Important Upgrade to Avoid "Clickjawing" Attacks.
Important Upgrade to Avoid "Clickjawing" Attacks
I wanted to let you know that there is a new IT issue that has surfaced. Please upgrade your Adobe Flash Player to Version 10. There is a flaw with Version 9.0.124.0 that allows attackers to view cam and hear audio. Additionally, they are finding that they are targeting people regarding online back to get their information.
To upgrade: http://www.adobe.com/products/flash/about/
This link will also tell you what version you have.
For more information about the flaw:
http://www.zdnetasia.com/news/security/0...281,00.htm
http://www.informationweek.com/news/inte...=211201721
Adobe Flash Player Fix Stops 'Clickjacking'
Adobe recommends users upgrade to Flash Player version 10.0.12.36 to avoid bugs that could lead to an attack over Internet Explorer, Firefox, Safari, Opera, or Chrome Web browsers.
By Thomas Claburn
InformationWeek
October 17, 2008 03:15 PM
Adobe Systems (NSDQ: ADBE) on Wednesday released a security bulletin to address a critical vulnerability in its Flash Player software that could let an attacker spy on victims through computer-connected Webcams or microphones or dupe victims into unknowingly authorizing harmful actions on their computers.
"Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls," the bulletin states. "This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user's camera and microphone."
More Internet InsightsWhite PapersSecurity and Trust: The Backbone of Doing Business over the Internet VeriSign Code Signing Digital Certificates for Adobe AIR Technology Adobe recommends that affected users upgrade to Flash Player version 10.0.12.36. Flash Player 10 includes tighter security controls on content access across domains and a variety of other security-related changes.
The company plans to update Flash Player 9 in early November.
Earlier this month, Flash developer Guy Aharonovsky published a proof-of-concept exploit to demonstrate how the clickjacking vulnerability can be used to spy on people.
Clickjacking also can be used to direct user clicks to authorize unintended actions without the user's knowledge.
Clickjacking isn't a vendor-specific issue. According to Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, who identified the flaw, it's a broad cross-platform browser exploitation technique that affects multiple products. Thus, while Adobe's fix may prevent a clickjacking attack directed at Flash Player, users may still be vulnerable through their Web browsers or other software that they're using.
Echoing Grossman's advice on how to mitigate the risk of clickjacking, US-CERT suggests disabling browser scripting, plug-ins, and iframes until the issue is widely addressed, though this may make some Web sites nonfunctional. The NoScript Firefox plug-in provides an easy way to do this.
Thanks Katrina for this find.
I wanted to let you know that there is a new IT issue that has surfaced. Please upgrade your Adobe Flash Player to Version 10. There is a flaw with Version 9.0.124.0 that allows attackers to view cam and hear audio. Additionally, they are finding that they are targeting people regarding online back to get their information.
To upgrade: http://www.adobe.com/products/flash/about/
This link will also tell you what version you have.
For more information about the flaw:
http://www.zdnetasia.com/news/security/0...281,00.htm
http://www.informationweek.com/news/inte...=211201721
Adobe Flash Player Fix Stops 'Clickjacking'
Adobe recommends users upgrade to Flash Player version 10.0.12.36 to avoid bugs that could lead to an attack over Internet Explorer, Firefox, Safari, Opera, or Chrome Web browsers.
By Thomas Claburn
InformationWeek
October 17, 2008 03:15 PM
Adobe Systems (NSDQ: ADBE) on Wednesday released a security bulletin to address a critical vulnerability in its Flash Player software that could let an attacker spy on victims through computer-connected Webcams or microphones or dupe victims into unknowingly authorizing harmful actions on their computers.
"Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls," the bulletin states. "This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user's camera and microphone."
More Internet InsightsWhite PapersSecurity and Trust: The Backbone of Doing Business over the Internet VeriSign Code Signing Digital Certificates for Adobe AIR Technology Adobe recommends that affected users upgrade to Flash Player version 10.0.12.36. Flash Player 10 includes tighter security controls on content access across domains and a variety of other security-related changes.
The company plans to update Flash Player 9 in early November.
Earlier this month, Flash developer Guy Aharonovsky published a proof-of-concept exploit to demonstrate how the clickjacking vulnerability can be used to spy on people.
Clickjacking also can be used to direct user clicks to authorize unintended actions without the user's knowledge.
Clickjacking isn't a vendor-specific issue. According to Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, who identified the flaw, it's a broad cross-platform browser exploitation technique that affects multiple products. Thus, while Adobe's fix may prevent a clickjacking attack directed at Flash Player, users may still be vulnerable through their Web browsers or other software that they're using.
Echoing Grossman's advice on how to mitigate the risk of clickjacking, US-CERT suggests disabling browser scripting, plug-ins, and iframes until the issue is widely addressed, though this may make some Web sites nonfunctional. The NoScript Firefox plug-in provides an easy way to do this.
Thanks Katrina for this find.
Copyright © 2010 2008 HWerks.com.