New Flash Click Jacking Exploit
Last Updated: 2011-10-21 02:03:13 UTC
by Johannes Ullrich (Version: 1)
Feross Aboukhadijeh posted a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel.
Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers.
Details from Adobe: http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html
Johannes B. Ullrich, Ph.D.
SANS Technology Institute