Hmm, ok, so clickjacking via Flash is actually the web browsers and the web sites' fault?
Well, that's according to an Adobe employee
JD's rationalizations bring to mind the disagreements that occurred back in July 2007 when there was a sometimes heated debate going on about whether IE and Firefox were at fault for "passing bad data" to third party applications, or if the third party applications were at fault for *accepting* the bad data (summary here). I still agree, with regards to that debate, with the stance that "it should not be IE (or Firefox's) responsibility as CALLER, nor is is realistic or practical, for a CALLER application to validate the data that it passes on to whatever application happens to be CALLED at any particular point in time. On the contrary, it is the responsibility of the CALLED application to verify the data that it is accepting."
Now, you know me, I was the person who called Adobe Flash "The Typhoid Mary of the Internet", because Flash has an inbuilt functionality that has been, and continues to be, abused by the criminals who create SWF malvertizements **and there is no way for the end user to turn off the Flash functionality that allows browser-hijacking via SWF creatives to occur**. The only option the end user has is to block/uninstall Flash.
It's all well and good for JD to say that "Today's browsers cannot guarantee click integrity. They are all broken and insecure" and ""Web 2.0" mashups and third-party content are not properly vetting the instructions they are asking your website to republish" but reality is that Flash is a product that grants an end user only a VERY LIMITED ability to control what Flash can or cannot do. What's the use of reminding us that there is danger out there when there is no way for us to manage the risk if we want to have Flash on our computers?
What controls do we have? This is pretty much it - note that in all the years that I have been using Flash, and testing who knows how many hundreds of malvertizements, compromised web sites and whatnot, I have *never* seen one of the small "allow/deny" prompts at the bottom of this article - not once.
It seems to me that for as long as Adobe Flash is going to give us only a very limited ability to stop the bad guys from mis-using their product, well, then the bar is raised much higher with regards to expecting Adobe Flash to do the protecting. So yes, Adobe needs to take equal, if not more, blame for the clickjacking problem.
I acknowledge that Adobe are addressing the problem of clickjacking and have offered a workaround.
I also acknowledge that Adobe will be addressing the problem of clipboard hijacking in the next version of Flash.
I acknowledge that there are/will be security improvements that have been mentioned on this blog, and which *may* have an negative impact on the ability of criminals to use SWF based malvertizements to hijack victims and redirect them to fraudware sites but the jury is still out with regards to how effective the changes will be. Be that as it may, an SWF creative should not have the ability to redirect a user's web browser to another web site **without user interaction or permission** in the first place - especially when the end user has no way to control that behavior.
We are fighting a constant battle of one-upmanship. The bad guys design a malicious SWF creative - we work out how to detect it - they change the way they do things and become undetectable, if only for a short time - and we react and work out how to detect it again - and so on and so forth ad infinitum. To claim that "Web 2.0 mashups and third-party content are not properly vetting the instructions they are asking your website to republish" fails to acknowledge that it is NOT easy to detect the bad guys and malicious behaviour. The web sites affected are not, for the most part, complicit or even careless (except for a very small minority of sites that seem to refuse to heed the lessons learned from past hijacks and continue to tricked into accepting dangerous creatives).
It is a constant battle, and we would *really* appreciate it if Adobe would give us a way to fight back - give us some sort of "off button" for the functionality that is being abused - please!!