Flash then exposes vulnerabilities to steal security camera-Flash, vulnerabilities, monitors, camera
Adobe is a Flash-related fixes vulnerability can be exploited secretly open the visitor's microphone and camera, Adobe is expected to be completed this week, the vulnerability of the repair work.
\"The problem server in Adobe Flash Player Settings Manager\", Adobe spokeswoman Wiebke Lips said: \"The engineers are working to step up bug fixes that could not involve or require the repair manual product updates, can be directly online at the server-side fix. QA work is completed immediately after release. \"
The vulnerability is caused by Stanford University computer science students Aboukhadiieh found and published in yesterday's blog, and contains a video clip. The attack uses something called \"clickjacking\" click-hijacking mode, hide the Flash SWF file in the Settings Manager pages iFrame behind, so you can bypass the framebusting JS code. (Text / Open Source China)
The exploits have appeared in 2008, with early reports from Znet:
Security experts recently warned that a newly discovered cross-browser vulnerabilities will lead to very dire security issues that could affect all the major desktop platforms, including IE, Firefox, Safari, Opera and Adobe Flash. This is called Clickjacking security threats, is supposed to OWASP NYC AppSec 2008 Conference announced, but manufacturers including Adobe, including a request to temporarily do not open this loophole, until they develop a security patch.
This vulnerability was discovered two security researchers, Robert Hansen and Jeremiah Grossman, revealed that they had little information to show the seriousness of the threat.
Clickjacking in the end is what?
Two experts said the study, they found not a small problem, in fact, very serious, they need to disclose this information prior to take responsibility for these problems a ring set a ring, at least two companies have committed to provide the patch , but the date yet, we are only a limited number of manufacturers and explore this issue, so the problem is serious.
According to more than half of those who participate in OWASP demonstrate openness of people said that this vulnerability is very urgent, will affect all browsers, but it does not matter, and JavaScript:
In general, when you visit a malicious website, an attacker can control your browser to access a number of links, this flaw affects almost all browsers, unless you are a class of characters using lynx browser. This vulnerability has nothing to do with JavaScript, even if you turn off JavaScript in your browser can not do anything. In fact, this is the browser works in a defect can not be resolved by a simple patch. Allows you to a malicious Web site without informed Click on any link, any button on the website or any thing.
If this does not make you panic, then think about this situation, a user is unaware of the attack and when to do nothing:
Such as Ebay, because you can embed JavaScript, although the attack does not require JavaScript, but can attack easier. Characters only lynx browser in order to protect yourself, but do not want any dynamic things. The vulnerability used in DHTML, using the anti-frame code can protect you from cross-site attack, an attacker can still force you to click any links. You do have to be directed to any click on a malicious link, so the game will bear the brunt of Flash.
According to Hansen say they have talked with Microsoft and Mozilla problem, but they both said this is a very difficult question, there is no simple solution.
