Spyware Sucks

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

"The Biblical wisdom “pride comes before a fall” needs to be foremost in the minds of security professionals. There are several aspects to this truth, but it starts with believing it is true. For one, the bad guys are always getting better and trying to get in. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and when you are “done". What worked today may not work tomorrow. In this light, be careful about the promises you make to others regarding security and the protections you are deploying." - Dan Lohrmann

Adobe has posted a security advisory regarding the "clickjacking" problem

The Advisory is here:
http://www.adobe.com/support/security/advisories/apsa08-08.html

I quote:

"Customers:
To prevent this potential issue, customers can change their Flash Player settings as follows:
   1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
   2. Select the "Always deny" button.
   3. Select ‘Confirm’ in the resulting dialog.
   4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html."

Published Wed, Oct 8 2008 11:13 by sandi

Filed under: Technology

Comments

# re: Adobe has posted a security advisory regarding the "clickjacking" problem

Thursday, October 09, 2008 5:48 PM by Mark Odell

> 4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting.

I don't understand -- how does disabling client Flash Player camera and microphone interactions mitigate a _clickjacking_ problem (unless this setting controls more than it lets on to)? Have you seen any explanation from Adobe, or a POC that this workaround causes to fail?

And, I still find the "necessity" to visit Adobe's site to change Flash Player settings to be _highly_ suspicious. I haven't seen any explanation for that, either.

# re: Adobe has posted a security advisory regarding the "clickjacking" problem

Thursday, October 09, 2008 6:36 PM by Mark Odell

> a POC that this workaround causes to fail

Damn it, I _knew_ I should have checked /. before posting...

blog.guya.net/.../malicious-camera-spying-using-clickjacking

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

Adobe has posted a security advisory regarding the "clickjacking" problem

Comments

# re: Adobe has posted a security advisory regarding the "clickjacking" problem

# re: Adobe has posted a security advisory regarding the "clickjacking" problem