Jump to content

Adobe To Fix Flash-Related Webcam Spy Hole


Recommended Posts

Adobe Systems is working on a fix for a Flash-related vulnerability that could be used by Web sites to surreptitiously turn on a visitor's microphone or Webcam.


The problem is in the Flash Player Settings Manager on Adobe's servers and not with software on customer computers, Adobe spokeswoman Wiebke Lips told CNET today.


"Engineering is currently working on a fix," she said in an e-mail. "Note that this issue does not involve/require a product update and/or customer action. (In other words, there will not be a security bulletin.) It's a fix we are making on our end online, and it is going to be pushed live as soon as QA [quality assurance] has completed their testing."


The vulnerability could be fixed by the end of the week, she said.


The problem was brought to light by Feross Aboukhadijeh, a Stanford University computer science student, in a blog post yesterday that includes a live demo. The attack uses a technique that has become popular on sites like Facebook and Twitter called "clickjacking." Clickjacking involves hiding code in order to trick people, so that when they click on an area of the page they think they are doing something innocuous--like indicating they "like" a Facebook post, for instance--when the click actually results in something else happening, such as reposting an update.


In this case, someone could click on a series of buttons, ostensibly as part of a game, and instead have turned on the camera or microphone without knowing it.


For the attack, Aboukhadijeh hid the Flash Settings Manager SWF file behind an iFrame on the page, which let him bypass the framebusting JavaScript code, he said.


"I've seen a bunch of clickjacking attacks in the wild, but I've never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it--let alone a .SWF file as important as one that controls access to your webcam and mic!" he wrote.


"Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off," he notes. "I'm not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don't have to find out."


A similar problem arose in 2008, but that issue required Adobe to update its Flash Player software on customer computers to fix, Lips said.


Aboukhadijeh said he reported the problem to Adobe a few weeks ago. But his e-mail was sent to an employee who was on sabbatical and not to the Adobe Product Security Incident Response Team, so Adobe didn't know about the issue until his blog post came out, according to Lips.


"Adobe has to get on this one QUICK," said Jeremiah Grossman, chief technology officer at Whitehat Security, who has been warning about the dangers of clickjacking for several years. "Everyone should make sure they have the Post-IT note defense fully deployed," he wrote in an e-mail, referring to the technique of covering the Web camera lens with a scrap of paper.


Updated Thursday, October 20, 2011, at 3:00 p.m.: Adobe says that it has fixed the problem with a change to the Flash Player Settings Manager SWF file hosted on the Adobe Web site. Users will not have to download an update to their Flash Player.


By: Elinor Mills, CNET's Seth Rosenblatt contributed to this report.


Originally posted at InSecurity Complex



Link to comment
Share on other sites

  • 2 months later...

Ok, I'm a little confused here. Are you talking about an Adobe product or Immunet Plus? If you're referring to an Adobe software product you will have to contact that vendor for help. If, on the other hand, you're referring to Immunet Plus your thread would have been better placed in the Issues/Defects section of the forum. That said, you could send an email to support@immunet.com and tell them that your Activation Key is not working. In all likelihood they can fix that on their end or they could send you another Activation Key to try. Best wishes, ritchie58...

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...