Adobe Systems Inc. warned users Tuesday that hackers could use recently reported “clickjacking” attack tactics to secretly turn on a computer’s microphone and Web camera.
Flash on all platforms is susceptible to clickjacking attacks, Adobe said in an advisory posted Tuesday.
By duping users into visiting a malicious Web site, hackers could hijack seemingly innocent clicks that, in reality, would be used to grant the site access to the computer’s webcam and microphone without the user’s knowledge.
“This potential ‘clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog,” acknowledged David Lenoe, the company’s security program manager, in a post to Adobe’s security blog.
Although a patch is not ready – Lenoe said one would be issued by the end of October – listed steps users can take immediately to block webcam and microphone hijacking.
Adobe recommended that users access Flash’s Settings Manager using a browser to select the “Always deny” option.
Adobe rated the vulnerability as “critical,” its highest threat ranking.
The Adobe advisory on the Clickjacking issue provided separate “workarounds” for customers and IT admins.
To pre-empt this potential problem, customers were advised to change their Flash Player settings as follows:
- Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
- Select the “Always deny” button.
- Select ‘Confirm’ in the resulting dialog.
“You will no longer be asked to allow or deny camera and / or microphone access after changing this setting,” the advisory noted. It directed customers who wished to selectively allow access to certain sites to do that via the Web site Privacy Settings panel of the Settings
Manager at the following URL:
http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.
IT Administrators are able to change the AVHardwareDisable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions.
Adobe said it is working to address the issue in an upcoming Flash Player update, scheduled for release before the end of October. Further details will be published on the Adobe Security Bulletin page at http://www.adobe.com/support/security.
According to Robert Hansen, one of the two security researchers who first raised the warning about clickjacking last month, Adobe will patch the bug in Flash 10, which already has been pegged for other fixes, including a flaw that’s been used by attackers for over a month to poison clipboards with URLs to malicious sites.
When issuing his warning last month Hansen had noted that “clickjacking” puts users of every major browser at risk from attack.
But he said Macs are particularly vulnerable to a Flash clickjacking attack, as all recent Apple notebooks and desktop systems include built-in cameras and microphones.
At the time, details of the six different types of flaws were sketchy, because the researchers deliberately kept their information confidential.
Although the clickjacking problem has been associated with browsers — users of Internet Explorer, Firefox, Safari, Opera, Google Chrome and others are all vulnerable to the attack – the problem is actually much deeper, said Hansen, who is founder and chief executive of SecTheory LLC.
He called clickjacking similar to cross-site request forgery, a known type of vulnerability and attack that sometimes goes by CSRF or “sidejacking.” But clickjacking is different enough that the current anti-CSRF security provisions built into browsers, sites and Web applications are worthless.
“At a high level, almost everyone is affected by it,” Hansen said. “The problem is that a lot of people who spent a lot of time defending [against cross-site request forgery] didn’t see this coming. This works completely differently, and has much wider-reaching issues. [Attackers] can get users to click a button [in clickjacking] where they may not be able to get them to click a button in JavaScript.”
Hansen’s research partner, Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., explained how attackers could exploit clickjacking vulnerabilities.
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said.
“Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
Hansen seconded Grossman’s example with one of his own. “Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site.
[The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”
Hackers would not need to compromise a legitimate site in order to conduct a clickjacking attack underneath it, Hansen added.
There are several possible solutions to the clickjacking problem, but only one makes sense. “The only people who can fix this in a scalable way are the browser vendors,” Hansen said.
He and Grossman have been in contact with Microsoft Corp., Mozilla Corp. and Apple Inc., the makers of Internet Explorer, Firefox and Safari, respectively. Together those companies’ programs account for more than 98 per cent of all browsers used last month, according to data from Net Applications Inc.
It’s not clear how serious the browser makers have taken the warnings by Hansen and Grossman, however, or how soon they will update their applications. “All are working on solutions,” said Hansen. “But no one said that they were necessarily putting something in the next version.”
For the moment, the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 per cent at this point.”
In the next breath, however, he called the Firefox-NoScript solution a stop-gap fix suitable only for technical users. “If my Mom was using NoScript, I’d be taking all kinds of technical support calls,” he said. “It’s not the right solution.”
In the meantime, people shouldn’t panic. “Truthfully, there’s a very small number of companies that can do something about this,” he said.
Hansen and Grossman plan to release virtually all of their research, including proof-of-concept code, when Adobe Systems Inc. wraps up a patch. Last week, the two promised Adobe that they would withhold most of their information after showing the vendor attack code that exploited a bug in its software.
On Friday, Hansen declined to confirm that the affected Adobe software was Flash, the ubiquitous multimedia content player that most users run as plug-in to their browser.