Adobe Flash Patch Addresses 'ClickJacking' Flaw
Adobe last week issued a critical update for its Flash multimedia player, including a fix for a dangerous class of vulnerabilities that gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.
The Flash patch addresses at least five security vulnerabilities, including two flaws that allow what's being called "clickjacking," a vulnerability present in Flash as well as multiple Web browsers that could allow an attacker to lure a user into unknowingly clicking on a link or dialog box, even if that link or box were located on another Web page.
Clickjacking uses a technology known as "iFrames," to invisibly load content from a separate Web page within the context of the page the user is viewing. Using a specially-crafted iFrame, a malicious site could load an invisible image that contains a URL from another page and overlay it transparently on top of a link or button that the user wants to click. In this context, a user may believe they are clicking on a trusted link, but instead be taken to a malicious site.
Robert "RSnake" Hansen, founder and chief executive of SecTheory LLC, who co-discovered the attack along with Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., said the vulnerability is present in all of the major browsers, including Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (all versions), Mozilla Firefox, and Opera. But he said the flaw is especially dangerous when used in combination with Adobe Flash, as Flash can easily be made to interact with any microphone or Web cam connected to the user's machine, potentially enabling attackers to spy on a victim through those devices.
"Most Web users understand the idea of a X and Y axis on the screen: They understand what's above, below and to the side of the browser Window, but most users have no context for understanding the Z (vertical) dimension of the browser," Hansen said. "When something is in front or behind the browser, there's no easy way for the user to identify what's going on there. If I put a link on a page that I want you to think you want to click on, I can hover an iFrame directly over top that the user can't see, so that the thing I want you to click on is evil, while the thing you want to click on is benign."
The attack works best against sites at which the user has already logged in, Hansen said. Many of these sites keep their links and buttons in the same place regardless of which Web browser the visitor is using, so attackers need only place the invisible iFrame at a single set of coordinates over top the link or button they are targeting.
Clickjacking also relies on the attacker knowing the exact URL or Web address that loads the hidden link by the iFrame. If the location of the button on the legitimate site changes randomly, or the link needed to load the desired action on the legitimate page changes with each session, the clickjacking attack fails, Hansen said. For example, many Web sites use dynamic URLs or "session IDs," once a customer presents her credentials to a site to log in. In such a scenario, the attackers would have no way of knowing what URL to load into the malicious iFrame ahead of time.
Grossman earlier this month posted a video that demonstrates how this attack could be used to spy on a victim through her computer's Web cam and microphone. At a security conference in Santa Fe this past week, Hansen showed me a similar but slightly more disturbing video that shows off just how powerful this attack can be.
Hansen said the "noscript" add-on for Firefox will block close to all of these clickjacking attacks, but that other browser makers have acknowledged the problem as one that is not trivial to fix.
Giorgio Maone, the maker of noscript, has a great primer on steps that IE, Opera and Safari users can take to help mitigate the threat from clickjacking attacks. That said, I am not aware of any active, malicious clickjacking attacks. I mention that not to belittle the threat from clickjacking, but as a reality check, as none of these suggestions will totally block clickjacking on these browsers. What's more, as Maone notes, the protection you get from his tips comes with big or enormous usability costs (depending on the browser), as a great many Web sites will simply fail to load correctly as a result.
The Adobe update, Flash version 10.0.12.36, can be downloaded from this link. You can always verify what version of Flash you are running by visiting this page. Depending on your setup, the Flash update may need to be applied to each browser separately. Windows users who have Firefox and Opera on the same machine, can patch both browsers simultaneously by visiting the Adobe Flash update page with either browser. Likewise, the new Flash patch for Mac OS X users will update Firefox, Opera and Safari in one go.
Windows users will also want to visit the Flash update page with IE to update that browser as well. To get the update for IE, visit the Flash updater page, click "Agree and Install Now," then approve the installation of an ActiveX control, and then hit "Run" at the next prompt.
October 20, 2008; 5:00 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Atrivo Shutdown Hastened Demise of Storm Worm
Next: FBI, FTC Take Down Scammers & Spammers
Posted by: B. Long | October 21, 2008 12:46 AM | Report abuse
Posted by: Anonymous | October 21, 2008 2:10 AM | Report abuse
Posted by: Ron | October 21, 2008 6:51 AM | Report abuse
Posted by: Anonymous | October 21, 2008 6:51 AM | Report abuse
Posted by: liudieyu | October 21, 2008 7:48 AM | Report abuse
Posted by: Angus S-F | October 21, 2008 10:22 AM | Report abuse
Posted by: Stern | October 21, 2008 10:25 AM | Report abuse
Posted by: Mike | October 21, 2008 10:42 AM | Report abuse
Posted by: TJ | October 21, 2008 12:23 PM | Report abuse
Posted by: Michael Horowitz | October 21, 2008 9:16 PM | Report abuse
Posted by: Mark Odell | October 21, 2008 9:25 PM | Report abuse
Posted by: Moike | October 22, 2008 7:51 AM | Report abuse
Posted by: tjallen | October 22, 2008 11:26 AM | Report abuse
Posted by: Question for Brian | October 22, 2008 12:34 PM | Report abuse
Posted by: Patrick Huss | October 22, 2008 1:11 PM | Report abuse
Posted by: Bk | October 22, 2008 4:15 PM | Report abuse
Posted by: Ken L | October 22, 2008 7:01 PM | Report abuse
The comments to this entry are closed.