Network News

X My Profile
View More Activity

Adobe Flash Patch Addresses 'ClickJacking' Flaw

Adobe last week issued a critical update for its Flash multimedia player, including a fix for a dangerous class of vulnerabilities that gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.

The Flash patch addresses at least five security vulnerabilities, including two flaws that allow what's being called "clickjacking," a vulnerability present in Flash as well as multiple Web browsers that could allow an attacker to lure a user into unknowingly clicking on a link or dialog box, even if that link or box were located on another Web page.

Clickjacking uses a technology known as "iFrames," to invisibly load content from a separate Web page within the context of the page the user is viewing. Using a specially-crafted iFrame, a malicious site could load an invisible image that contains a URL from another page and overlay it transparently on top of a link or button that the user wants to click. In this context, a user may believe they are clicking on a trusted link, but instead be taken to a malicious site.

Robert "RSnake" Hansen, founder and chief executive of SecTheory LLC, who co-discovered the attack along with Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., said the vulnerability is present in all of the major browsers, including Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (all versions), Mozilla Firefox, and Opera. But he said the flaw is especially dangerous when used in combination with Adobe Flash, as Flash can easily be made to interact with any microphone or Web cam connected to the user's machine, potentially enabling attackers to spy on a victim through those devices.

"Most Web users understand the idea of a X and Y axis on the screen: They understand what's above, below and to the side of the browser Window, but most users have no context for understanding the Z (vertical) dimension of the browser," Hansen said. "When something is in front or behind the browser, there's no easy way for the user to identify what's going on there. If I put a link on a page that I want you to think you want to click on, I can hover an iFrame directly over top that the user can't see, so that the thing I want you to click on is evil, while the thing you want to click on is benign."

The attack works best against sites at which the user has already logged in, Hansen said. Many of these sites keep their links and buttons in the same place regardless of which Web browser the visitor is using, so attackers need only place the invisible iFrame at a single set of coordinates over top the link or button they are targeting.

Clickjacking also relies on the attacker knowing the exact URL or Web address that loads the hidden link by the iFrame. If the location of the button on the legitimate site changes randomly, or the link needed to load the desired action on the legitimate page changes with each session, the clickjacking attack fails, Hansen said. For example, many Web sites use dynamic URLs or "session IDs," once a customer presents her credentials to a site to log in. In such a scenario, the attackers would have no way of knowing what URL to load into the malicious iFrame ahead of time.

Grossman earlier this month posted a video that demonstrates how this attack could be used to spy on a victim through her computer's Web cam and microphone. At a security conference in Santa Fe this past week, Hansen showed me a similar but slightly more disturbing video that shows off just how powerful this attack can be.

Hansen said the "noscript" add-on for Firefox will block close to all of these clickjacking attacks, but that other browser makers have acknowledged the problem as one that is not trivial to fix.

Giorgio Maone, the maker of noscript, has a great primer on steps that IE, Opera and Safari users can take to help mitigate the threat from clickjacking attacks. That said, I am not aware of any active, malicious clickjacking attacks. I mention that not to belittle the threat from clickjacking, but as a reality check, as none of these suggestions will totally block clickjacking on these browsers. What's more, as Maone notes, the protection you get from his tips comes with big or enormous usability costs (depending on the browser), as a great many Web sites will simply fail to load correctly as a result.

The Adobe update, Flash version, can be downloaded from this link. You can always verify what version of Flash you are running by visiting this page. Depending on your setup, the Flash update may need to be applied to each browser separately. Windows users who have Firefox and Opera on the same machine, can patch both browsers simultaneously by visiting the Adobe Flash update page with either browser. Likewise, the new Flash patch for Mac OS X users will update Firefox, Opera and Safari in one go.

Windows users will also want to visit the Flash update page with IE to update that browser as well. To get the update for IE, visit the Flash updater page, click "Agree and Install Now," then approve the installation of an ActiveX control, and then hit "Run" at the next prompt.

By Brian Krebs  |  October 20, 2008; 5:00 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Atrivo Shutdown Hastened Demise of Storm Worm
Next: FBI, FTC Take Down Scammers & Spammers


I downloaded the update and ran the file.
On a number of occasions the installation would not proceed. A dialogue box came up telling me that I did not have enough free space. I have 211 GB free on that drive. I looked through the Adobe Flash site but there were no hints there. And I don't want the update bad enough to go bouncing through support. Any one else have this problem or am I missing something stupidly obvious ?

Posted by: B. Long | October 21, 2008 12:46 AM | Report abuse

When trying to install Shockwave player on a m/c with Vista and IE a Data Execution Prevention for IE occurs. If Adobe can't do the install in a safe method for its software then maybe it is not so surprising their software is prone to flaws.

Posted by: Anonymous | October 21, 2008 2:10 AM | Report abuse

and the Adobe Media Player Download Link at the top of the page, is not the Flash Player. You should point that out, or people will download that instead.

Posted by: Ron | October 21, 2008 6:51 AM | Report abuse

Manufacturers need to put a hardware door on these video cams/mics so you can block them out when not in use. These can be potentially very dangerous/embarrassing devices. Leave them on in your bedroom and the whole world could potentially be watching. Always assume your pc can be hijacked at any moment. It's software!

Posted by: Anonymous | October 21, 2008 6:51 AM | Report abuse


Posted by: liudieyu | October 21, 2008 7:48 AM | Report abuse

Flash 10 may patch PART of the Clickjacking flaw, but apparently Adobe has left the ability to redirect to a new domain in Flash 10, leaving most of the hole wide open. See here:

Adobe Flash 10 does NOT stop malvertizement hijacking - Spyware Sucks

Posted by: Angus S-F | October 21, 2008 10:22 AM | Report abuse

I wish adobe would allow a downloadable installer for IE flash. When I'm setting up a new machine I like having all the programs I want on it ready to install without requiring internet access.

Posted by: Stern | October 21, 2008 10:25 AM | Report abuse

Why don't you just switch to Firefox and use the noscipt add-on? Jeesh.

Posted by: Mike | October 21, 2008 10:42 AM | Report abuse

If you're having problems installing this update, you may need to uninstall Flash Player. See this Adobe support page:

As standard practice, I've used the uninstaller (download via link above) to remove existing versions before installing new ones. That way I'm sure any old versions are completely removed. It also seems to minimize any problems installing the latest version.

Posted by: TJ | October 21, 2008 12:23 PM | Report abuse

I agree with TJ that the safest way to deal with Flash it to first remove older versions. My CNET blog posting has the details.
Seven steps to update the Adobe Flash Player on Windows

Posted by: Michael Horowitz | October 21, 2008 9:16 PM | Report abuse

@ Stern:
>>I wish adobe would allow a downloadable installer for IE flash.

AFAIK, your wish is granted.

Posted by: Mark Odell | October 21, 2008 9:25 PM | Report abuse


While it may be the real thing, I didn't realize that Adobe has switched to filehippo for Flash distribution...

Posted by: Moike | October 22, 2008 7:51 AM | Report abuse

I don't see how this is a "flaw" - the browsers are operating exactly as designed, exactly as the W3C specs say. It is possible to put transparent layers anywhere. The Z axis can be hundreds of layers deep.

The fake layer can be a div on a hijacked site, not just an iframe. Iframes and divs can be transparent, or they can be hidden and made to appear on the onmousedown event, which precedes onclick. The mouse x,y location can be read, and the hidden div or iframe repositioned under the mouse pointer.

Other than eliminating javascript, I don't know how to stop these tricks, which are old tricks, back to Netscape 4 and IE4 and the origin of layers and Z-index.

Posted by: tjallen | October 22, 2008 11:26 AM | Report abuse

Do you think the disclosure at 14.4 on the license agreement is a defensible explanation of Local Shared Objects? see

Posted by: Question for Brian | October 22, 2008 12:34 PM | Report abuse

Thanks for the link TJ.

Posted by: Patrick Huss | October 22, 2008 1:11 PM | Report abuse

@Ron -- What link are you referring to? The only link I see to the Player is at the bottom of the post.

Posted by: Bk | October 22, 2008 4:15 PM | Report abuse

As a workaround, you can also disable Flash in Internet Explorer. In I.E. 6 SP2 do this:
1. Go to the "Tools" menu,
2. select "Internet Options",
3. click on the "Programs" tab.
4. Click on the "Manage Add-Ons" button

5. Locate the items labeled "Shockwave Flash Object" and "Shockwave ActiveX control", and change their status to Disabled.

You can also do the same thing to the Microsoft media player plug-ins (labeled "Windows Media Player", "Video_X_MS_WMV Moniker Class", "Video_X_MS_ASF Moniker Class")

Posted by: Ken L | October 22, 2008 7:01 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company