A serious Flash Player vulnerability was exposed Thursday by online security experts. The clickjacking vulnerability gives hackers access to see and hear into your home via your web cam and microphone with only a single victim-initiated click.
The vulnerability affects all browsers with Flash Player installed, approximately 99% of browsers (that means you). Adobe has responded with the following instructions, which turns off all webcam and mic access from the internet:
- Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
- Select the “Always deny” button.
- Select ‘Confirm’ in the resulting dialog.
- Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.
Jeremiah Greene and Robert Hanson from White Hat Security found the exploit over a month ago and were prepared to present the information to a OWASP conference. Adobe caught wind of the vulnerability and delayed the presentation to give its developers a chance to patch up the bug. Now, Greene and Hanson have gone public with the information.
A video demonstration of the attack can be found on Greene’s blog and below.
‘Clickjacking’ is a a newly discovered threat which invisibly places poisonous links invisibly under your mouse. When you click anywhere on the infected web page, the invisible link is activated. Unsuspecting users could then unknowingly install viruses or malware thinking they clicked on a legitimate link instead.