Creepy Clickjacking Bug Lets Hackers Control Webcams
A Flash Player vulnerability could allow attackers to gain control of a user's webcam and microphone, according to a security advisory issued by Adobe. The company has issued a workaround; however a patch won't come until later. As always, Web surfers should be careful where they're clicking.
10/08/08 4:07 PM PT
Software maker Adobe issued a security advisory Tuesday warning users of its Adobe Flash Player about a vulnerability that could expose them to so-called clickjacking attacks.
Adobe has rated the issue as "critical." The vulnerability is pervasive, affecting all major browsers including Microsoft's Internet Explorer, Apple's Safari and Mozilla's Firefox.
While Adobe has not issued a patch for the bug, it has included a workaround in the advisory. The company hopes to address the vulnerability in an upcoming Flash Player update, scheduled for release by the end of October.
Adobe credits security researchers Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security, Eduardo Vela and Matt Mastracci of DotSpots as well as Liu Die Yu for reporting the vulnerability.
Clickjacking has been around for a while, according to Chris Rodriguez, an analyst at Frost & Sullivan.
"[Clickjacking] comes in many different forms. It has been greatly overlooked by the security community and the criminal community alike. Recently, researchers have demonstrated the dangers of this threat through an Adobe Flash Player vulnerability that would allow an attacker to gain control of a user's microphone and webcam," he told TechNewsWorld.
The exploited vulnerability poses a risk when an attacker is able to trick a user into unwittingly clicking on a link or dialog, according to Adobe.
Clickjacking is usually done by using invisible buttons to get a user to click on something unintentionally, Rodriguez explained.
"However, Adobe's security bulletin is in response to some really nefarious stuff that has been a hot topic lately. Someone has figured out how to use clickjacking to gain access to the user's microphone and webcam. Now that's some scary stuff," he continued.
The problem with this and other high-profile security flaws is that they "are quickly weaponized -- in as little as a week, or less," said Rodriguez.
"More importantly, Adobe has only provided a workaround and has not released a patch. Even when a fix is available, Adobe Flash updates are not usually a part of enterprise patch management cycles. We expect that Adobe is working around the clock to fix this problem and until then, users are at risk unless they research, understand and take the recommended measures against this threat," he added.
As Web browsers become more advanced, these types of threats will continue, according to Phil Hochmuth, a Yankee Group analyst.
"As browsers continue to take on the role of traditional desktop applications, and even desktop operating environments, the increased complexity of plug-ins and browser enhancement tools will no doubt lead to more exploitable flaws and vulnerabilities," he told TechNewsWorld.