File Under: Software & Tools

Flash Player 10 Solves Some, but not all ‘Clickjacking’ Attacks

FlashiconThe release of Flash Player 10 patched several security flaws that could used in “clickjacking” attacks — where an attacker uses an invisible overlay to hijack a web button or link. However, we’ve noticed a number of news outlets proclaiming that the Flash 10 update solves the clickjacking attack, but, sadly, that isn’t true.

Adobe’s John Dowdell posted a note on the subject and calls out PC World in particular, but numerous other write ups of Flash 10 suggested the same thing.

While Dowdell’s post is perhaps a tad overzealous in defending his employer, his basic point is true: clickjacking is a browser flaw, not a Flash flaw, not a Silverlight flaw and not an Ajax flaw.

Of course the Flash 10 update does help stop one small portion of clickjacking. Dowdell explains:

The changes in Player 10 just prevent the browser’s existing and unpatched clickjacking flaws from affecting the Flash cam/mic dialog… it’s something like Player calling out beyond the browser to the operating system to make sure Flash’s pixels are actually displayed, and the browser isn’t letting something else slide in on top to hide the dialog.

The problem is that similar attacks can be mounted using JavaScript with iFrame content and myriad of other means.

So yes, the Flash Player 10 update will help protect you against one form of clickjacking, but to proclaim that it patches “a critical security bug that could make the internet a dangerous place for web surfers,” as PC World did is worse than a disservice to readers, it’s just plain untrue.

The fact is clickjacking is a very serious flaw and no one has come up with complete solution (though the latest version of the Firefox add-on NoScript handles about 99 percent of the known cases). At the moment clickjacking isn’t widely exploited in the wild, but don’t expect that to last. It’s an easy attack to implement and very hard to stop, which is a recipe for disaster.

The unfortunate fact of the matter is, despite some attempts at reassuring headlines, the internet will likely always be a dangerous place for web surfers. By the time a solution for clickjacking emerges a new threat will come to light. The larger answer to the problem is to make sure users are informed, know about potential risks and minimize their exposure..

See Also: