Adobe's Flash Player 10 upgrade addresses clickjacking

Share this article:

Adobe on Wednesday announced the release of Flash Player version 10, which addresses the clickjacking security vulnerabilities that could give an attacker access to a user's webcam and microphone.

In a security bulletin, Adobe said that all users of Flash Player version 9.0.124.0 and earlier should upgrade to version 10. Users can upgrade by running the auto-update in the program when prompted, or visit Adobe's Player Download Center.

“Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog,” Adobe said in its security advisory. “This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone.”

The update also addresses other security issues. It prevents privilege escalation attacks against web servers hosting Flash content and cross-domain policy files, fixes a potential port-scanning issue and prevents potential attacks to the clipboard API, Adobe said in its security advisory.

"We recommend all users upgrade to Adobe Flash Player 10 in order to mitigate the potential issues as outlined in the Oct. 15 Security Bulletin," Brad Arkin, director, Product Security and Privacy at Adobe, told SCMagazineUS.com Thursday in an email.

Customers who cannot upgrade immediately due to IT restrictions or other reasons can change their settings to mitigate the potential for falling victim to clickjacking exploits. The workaround is outlined in an older Adobe security advisory. Arkin said there will also be a security update for Flash Player 9 available next month.

Jermiah Grossman, founder of WhiteHat Security and Robert Hansen, founder and CEO of SecTheory notified Adobe of the potential for clickjacking exploits against Flash Player last month. These two researchers had been researching clickjacking since the middle of the year.

Share this article:

Sign up to our newsletters

More in News

Metro.us site compromised, serves malicious code

Researchers at Websense say visitors to Metro.us are sent to websites hosting the Rig Exploit Kit, used in the past to distribute CryptoWall.

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.