Adobe's Flash Player 10 upgrade addresses clickjacking

Share this article:

Adobe on Wednesday announced the release of Flash Player version 10, which addresses the clickjacking security vulnerabilities that could give an attacker access to a user's webcam and microphone.

In a security bulletin, Adobe said that all users of Flash Player version 9.0.124.0 and earlier should upgrade to version 10. Users can upgrade by running the auto-update in the program when prompted, or visit Adobe's Player Download Center.

“Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog,” Adobe said in its security advisory. “This update helps prevent a clickjacking attack on a Flash Player user's camera and microphone.”

The update also addresses other security issues. It prevents privilege escalation attacks against web servers hosting Flash content and cross-domain policy files, fixes a potential port-scanning issue and prevents potential attacks to the clipboard API, Adobe said in its security advisory.

"We recommend all users upgrade to Adobe Flash Player 10 in order to mitigate the potential issues as outlined in the Oct. 15 Security Bulletin," Brad Arkin, director, Product Security and Privacy at Adobe, told SCMagazineUS.com Thursday in an email.

Customers who cannot upgrade immediately due to IT restrictions or other reasons can change their settings to mitigate the potential for falling victim to clickjacking exploits. The workaround is outlined in an older Adobe security advisory. Arkin said there will also be a security update for Flash Player 9 available next month.

Jermiah Grossman, founder of WhiteHat Security and Robert Hansen, founder and CEO of SecTheory notified Adobe of the potential for clickjacking exploits against Flash Player last month. These two researchers had been researching clickjacking since the middle of the year.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.