Feross Aboukhadijeh posted a blog post about a vulnerability in Flash that allows for a click jacking attack to turn on the clients camera and microphone. The attack is conceptually similar to the original click jacking attack presented in 2008. Back then Flash adjusted the control panel.
Update: Adobe fixed the problem. The fix does not require any patches for client side code. Instead, adobe modified the control page and applet that users load from Adobe's servers.
Details from Adobe: http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html
Defending Web Applications Security Essentials - SANS Silicon Valley - Cupertino 2020
Oct 21st 2011
8 years ago