Adobe addresses Flash Player 'clickjacking' flaw

Flash Player 10 update addresses flaws enabling attackers to fool users into visiting malicious Web sites. It also helps prevent attacks on Webcams and microphones.

Tom Espiner Special to CNET News

Adobe Systems has addressed a security flaw in its Flash Player products that could lead to 'clickjacking' attacks.

Flash Player 10, released on Wednesday, includes a fix for the clickjacking vulnerability published by researchers Jeremiah Grossman and Robert Hansen earlier this month.

Clickjacking attacks take advantage of vulnerabilities in Adobe Flash Player and earlier, as well as vulnerabilities in browsers such as Internet Explorer, Opera, Firefox, and Safari. Exploitation of the flaws could allow an attacker to disguise Web site elements, such as dialog boxes and links, so that the user is fooled into visiting malicious Web sites.

"Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue," Adobe product security program manager David Lenoe wrote in a blog post Wednesday.

The Flash Player 10 update also helps prevent a clickjacking attack on a user's Webcam and microphone, according to an Adobe security advisory. This variant of the attack could allow eavesdropping.

The update contains four more security fixes, including a mitigation against clipboard attacks and a fix for a port-scanning issue. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November, according to the advisory.

On Wednesday, Adobe also published a security advisory for Flash Creative Suite 3 Professional, warning of a potential flaw that allows an attack using malformed SWF files. Flash Creative Suite 4, released on Wednesday, and Flash Player products, are not affected by this issue.

Tom Espiner of ZDNet UK reported from London.