Adobe addresses ‘ClickJacking’ flaw in Flash 10

Posted by Joshua Hill

Adobe’s Flash Player 10 released yesterday includes a fix for a security flaw found in Adobe Flash Player 9.0.124.0 and earlier. ‘ClickJacking’, as the issue was dubbed, would allow a hacker to mislead people into clicking on a link that would allow their computer to eventually be remotely controlled.

WhiteHat Security CTO Jeremiah Grossman said that ClickJacking “gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.”  Grossman and Robert “RSnake” Hansen postponed a presentation at OWASP AppSec NY 2008 about the vulnerability at Adobe’s request.

“Flash Player 10 addresses Flash Player-specific aspects of the overall ClickJacking issue that has been making news recently,” said David Lenoe, Adobe product security program manager, “and also includes a mitigation for recent clipboard attacks as well as other security enhancements.”

TG Daily wrote earlier this month about ClickJacking, saying that the process can eventually lead “to the user’s webcam and microphone being taken over.”