By Walaika Haskins TechNewsWorld
10/08/08 4:07 PM PT
A Flash Player vulnerability could allow attackers to gain control of a user's webcam and microphone, according to a security advisory issued by Adobe. The company has issued a workaround; however a patch won't come until later. As always, Web surfers should be careful where they're clicking.
Software maker Adobe (Nasdaq: ADBE) issued a security advisory Tuesday warning users of its Adobe Flash Player about a vulnerability that could expose them to so-called clickjacking attacks.
Adobe has rated the issue as "critical." The vulnerability is pervasive, affecting all major browsers including Microsoft's (Nasdaq: MSFT) Internet Explorer, Apple's (Nasdaq: AAPL) Safari and Mozilla's Firefox.
While Adobe has not issued a patch for the bug, it has included a workaround in the advisory. The company hopes to address the vulnerability in an upcoming Flash Player update, scheduled for release by the end of October.
Adobe credits security researchers Robert Hansen of
SecTheory, Jeremiah Grossman of
WhiteHat Security, Eduardo Vela and Matt Mastracci of
DotSpots as well as Liu Die Yu for reporting the vulnerability.
Hijacking Clicks
Clickjacking has been around for a while, according to Chris Rodriguez, an analyst at Frost & Sullivan.
"[Clickjacking] comes in many different forms. It has been greatly overlooked by the security community and the criminal community alike. Recently, researchers have demonstrated the dangers of this threat through an Adobe Flash Player vulnerability that would allow an attacker to gain control of a user's microphone and webcam," he told TechNewsWorld.
The exploited vulnerability poses a risk when an attacker is able to trick a user into unwittingly clicking on a link or dialog, according to Adobe.
Clickjacking is usually done by using invisible buttons to get a user to click on something unintentionally, Rodriguez explained.
"However, Adobe's security bulletin is in response to some really nefarious stuff that has been a hot topic lately. Someone has figured out how to use clickjacking to gain access to the user's microphone and webcam. Now that's some scary stuff," he continued.
Celebrity Vulnerabilities
The problem with this and other high-profile security flaws is that they "are quickly weaponized -- in as little as a week, or less," said Rodriguez.
"More importantly, Adobe has only provided a workaround and has not released a patch. Even when a fix is available, Adobe Flash updates are not usually a part of enterprise patch management cycles. We expect that Adobe is working around the clock to fix this problem and until then, users are at risk unless they research, understand and take the recommended measures against this threat," he added.
As Web browsers become more advanced, these types of threats will continue, according to Phil Hochmuth, a Yankee Group analyst.
"As browsers continue to take on the role of traditional desktop applications, and even desktop operating environments, the increased complexity of plug-ins and browser enhancement tools will no doubt lead to more exploitable flaws and vulnerabilities," he told TechNewsWorld.
Cisco: IT Managers Neglect Employee Security Threat September 30, 2008
Employees' bad habits, such as using company computers for personal business and allowing others to use company-owned technology unsupervised, cause a glaring gap in security that goes unnoticed by many IT managers, according to a study conducted by Cisco Systems.
Related Stories
The Struggle to Satisfy Security-Minded Customers September 26, 2008
Keeping customers happy can be tough work for a security vendor. Whether the customer is an individual with a PC and a laptop or an enterprise with hundreds of boxes, vendors are constantly grappling with the balance between protection and convenience.
New PCI Security Standard Falls Short September 24, 2008
The new version of the Payment Card Industry Data Security Standard is due out in October, and it's an improvement over the original. However, it doesn't quite keep up with the innovations of ID thieves, who are finding new weaknesses daily, writes Paul Davie of Secerno.
Related News Alerts
More by Walaika Haskins
ZeeVee's Zinc Browser Gets Web TV Right April 29, 2009
The Zinc Browser from ZeeVee updates the old Zviewer with tighter navigation and better catalog options. The finished application offers a great way to find TV shows and movies anywhere on the Web, regardless of whether they're hosted by Hulu, CBS, Netflix, Amazon's on-demand service or others.
Game Sales Sputter, 'GTA' Fails to Steal the Show April 23, 2009
It may appear as though the video game industry is beginning to join the economy at large in its slump, as March numbers from NPD were less than encouraging. However, a year-over-year perspective is difficult due to the timing of game releases and holidays. Meanwhile, Take-Two hasn't seen much success in introducing its violent "GTA" series to the Nintendo DS.
Can Microsoft Win the Online Game? April 16, 2009
Now that the major video game consoles have been on the market for two and a half years -- or more -- hardware sales have slowed considerably. Online services, however, still have room to grow. InStat says subscriber bases will take off in the coming years, and Microsoft's Xbox platform may come out the big winner.
Headline Feeds
Talkback: 
