San Jose (CA) – Adobe has issued a “critical” security alert to users of its Flash player. The company warns people that hackers can mislead people into clicking on link that can then remotely control the user’s webcam and microphone. Adobe’s security warning comes on the heels of recently released proof of concept code which shows the attack in action.
Guy Aharonovsky has released proof of concept code that demonstrates the attack and you can view that page by clicking here. In the demo, the user is presented with a simple game that forces the user to click around the screen. Unfortunately there’s an invisible iFrame under the primary screen and some of those clicks are actually opening other websites and dialogue boxes. This eventually leads to the user’s webcam and microphone being taken over. Mr. Aharonovsky promises that his demo doesn’t actually record any information, but you can view his YouTube video of the demo if you are concerned about your browser’s safety.
Adobe’s advisory gives credit to five researchers including Jeremiah Grossman and Robert Hansen from WhiteHat Security. The pair was supposed to give a presentation about the vulnerability at the AppSec conference in New York City last month, but cancelled it at Adobe’s request. Mr. Hansen has since published more details about the vulnerability on his blog.
All Adobe Flash Player versions Adobe Flash Player 18.104.22.168 and earlier are vulnerable and the company advises people to go in the Flash Player setting menu and select “Always deny” in the Global Privacy Settings panel. This will always deny the microphone and webcam and should be considered a temporary workaround while Adobe researches a more permanent solution.