14 DAY TRIAL // Adobe has released Flash Player 10, an update which fixes several security problems including clipboard poisoning and the UI redressing attack that hijacks computer webcams and microphones. Other security improvements include prevention of cross-domain privilege escalation attacks, port-scanning and unauthorized downloads and uploads.
The clipboard hijacking attacks started to spread panic several months ago when user reports of having their clipboard poisoned with strange persistent links flowed in at an alarming rate on tech support forums and websites. Even more strangely, the users reported experiencing this problem after visiting popular websites like MSNBC, Newsweek or Digg.
The links were pointing to malware spreading websites and were persistent in the clipboard, which meant that users could propagate it unintentionally by pasting it along with any legit chunk of text in e-mails, blog comments, forum posts etc. At first, it was believed that only Windows users were affected, but soon enough people running Linux and MacOS started reporting it, too. After some digging, infected advertisements served through flash were found responsible, which made this a Flash problem.
The Adobe PSIRT team released a statement soon after informing everyone that they are aware of the issue and a solution is being devised. This solution was eventually included in the new Flash Player 10 update. Trevor McCauley, Quality Engineer at Adobe, explained the more technical details of the fix in an article addressed to flash developers. “The System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction,” he writes and later adds that “setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user”.
Another serious security issue addressed in this update is the Clickjacking, or UI redressing, technique that allows attackers to hijack the webcam and microphone through the Flash Player Settings Manager. Clickjacking is a generic type of attack in which an invisible button or link can be placed under the user's mouse pointer while surfing a Web page in order to hijack his mouse click when the user clicks on an item that appears safe.
Security researchers Jeremiah Grossman and Robert Hansen are credited with the discovery of the clickjacking-based attack which involves the Flash Player Settings Manager, but even if they did their best to keep it secret from the general public and allow Adobe to issue a fix, someone else successfully created and released a PoC exploit. This took Adobe by surprise and forced them to issue an advisory that included a temporary workaround.
This issue is prevented in Flash Player 10 because the use of camera and microphone is no longer allowed under certain conditions that are required by the attack. However, Adobe also plans to provide its customers who, for various reasons, can't upgrade to version 10 with an update for Flash Player 9 that includes these security fixes. This update is scheduled to be released in early November
Users should be aware that while this flash player-based clickjacking attack has been prevented, it does not put an end to all clickjacking attacks. Clickjack is a generic class of attacks based on several techniques that can be combined with several web technologies or other types of web-based attacks in order to increase their success rate. The fundamental UI redress problem needs to be fixed at the browser level and this is likely to happen in small steps and over time.