Accessibility
Adobe
Sign in Privacy My Adobe

Security advisory

Flash Player workaround available for "Clickjacking" issue

Release date: October 7, 2008

Vulnerability identifier: APSA08-08

Platform: All Platforms

Summary

Adobe is aware of recently published reports of a ???Clickjacking??? issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential ???Clickjacking??? issue affects Adobe Flash Player. Adobe recommends customers updgrade to the newest version 10.0.12.36. More information can be found in Security Bulletin APSB08-18.

For Flash Player 9 customers who cannot upgrade to Flash Player 10, Adobe is working to address this issue in an upcoming update to Flash Player 9, scheduled for early November.

Affected Software: Adobe Flash Player 9.0.124.0 and earlier

Solution

Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. More information can be found in Security Bulletin APSB08-18. Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 by early November. In the meantime, Adobe advises Flash Player 9 customers and IT Administrators to apply the workaround described below.

Flash Player 9 Customers:

To prevent this potential issue, customers can change their Flash Player settings as follows:

  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the "Always deny" button.
  3. Select ???Confirm??? in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

IT Administrators who cannot upgrade to Flash Player 10:

IT Administrators can change the AVHardwareDisable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. For more information on the mms.cfg file and AVHardwareDisable, please refer to page 57 of the Adobe Flash Player Administration Guide: http://www.adobe.com/devnet-archive/flashplayer/articles/flash_player_admin_guide/flash_player_admin_guide.pdf#page=57.

Severity Rating

Adobe categorizes this as a critical issue.

Acknowledgments

Adobe would like to thank Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu of TopsecTianRongXin for reporting this vulnerability and for working with us to help protect our customers' security.

Revisions

October 15, 2008 ??? Advisory updated with information on Security Bulletin APSB08-18
October 7, 2008 ??? Advisory first created

Products

Download

Support & Learning

Buy

Company

Choose your region

Copyright © 2013 Adobe Systems Software Ireland Ltd. All rights reserved.

Terms of Use | Privacy | Cookies