October 7th, 2008
Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
Following the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.
“We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.”
And since prevention is better than the cure — at least in the short term — the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature :
“The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.”
Click in the clear, and make sure you’re not susceptible to exploitation through last quarter’s security vulnerabilities.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
