Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Adobe has squashed the second iteration of an attack that exploits Adobe Flash to allow remote attackers to spy through Apple web cams and microphones.
The three-year old click-jacking attack was revived by a Standard University student after it was first fixed by Adobe.
It worked by placing Adobe’s setting manager swf file into an iframe which was then set to transparent.
Users would then be presented with a simple computer game overlaying the settings which led users to click buttons that activated their web cams and microphone and permitted access to attacker-defined websites.
The first attack of this type was unveiled in October 2008 by researchers Jeremiah Grossman and Robert Hansen. It differed to the latter attack in that it hid the settings manager behind an iframe that spanned the entire web page.
Adobe rapidly busted that attack with a JavaScript update that prevented the injection of the large iframe.
The attack, dubbed by Grossman and Hansen as “the wet dream of every private eye and peeping tom”, was revived after developer Feross Aboukhadijeh successfully bypassed the update by cutting down the size of the iframe.
He placed only Adobe’s settings manager swf file into an iframe which was undetected by the first update.
Adobe has now modified the swf settings manger to prevent transparency.
While Adobe received applause from the attack’s creator for its quick response, Aboukhadijeh claimed the software giant for weeks ignored his work-around disclosure from Stanford University Labs.
“It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he said prior to the patch.
He warned the attack could have theoretically affected all operating systems, although it was demonstrated only on FireFox and Safari. Google Chrome was unaffected due to suspected css bugs that did not permit opacity to be changed.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.