The problem is in the Flash Player Settings Manager on Adobe’s servers and not with software on customer computers, Adobe spokeswoman Wiebke Lips told CNET today.
“Engineering is currently working on a fix,” she said in an e-mail. “Note that this issue does not involve/require a product update and/or customer action. (In other words, there will not be a security bulletin.) It’s a fix we are making on our end online, and it is going to be pushed live as soon as QA [quality assurance] has completed their testing.”
The vulnerability could be fixed by the end of the week, she said.
The problem was brought to light by Feross Aboukhadijeh, a Stanford University computer science student, in a blog post yesterday that includes a live demo. The attack uses a technique that has become popular on sites like Facebook and Twitter called “clickjacking.” Clickjacking involves hiding code in order to trick people, so that when they click on an area of the page they think they are doing something innocuous–like indicating they “like” a Facebook post, for instance–when the click actually results in something else happening, such as reposting an update.
In this case, someone could click on a series of buttons, ostensibly as part of a game, and instead have turned on the camera or microphone without knowing it.
“I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it–let alone a .SWF file as important as one that controls access to your webcam and mic!” he wrote.
“Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off,” he notes. “I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.”
A similar problem arose in 2008, but that issue required Adobe to update its Flash Player software on customer computers to fix, Lips said.
Aboukhadijeh said he reported the problem to Adobe a few weeks ago. But his e-mail was sent to an employee who was on sabbatical and not to the Adobe Product Security Incident Response Team, so Adobe didn’t know about the issue until his blog post came out, according to Lips.
“Adobe has to get on this one QUICK,” said Jeremiah Grossman, chief technology officer at Whitehat Security, who has been warning about the dangers of clickjacking for several years. “Everyone should make sure they have the Post-IT note defense fully deployed,” he wrote in an e-mail, referring to the technique of covering the Web camera lens with a scrap of paper.