Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

Summary: Following the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.

SHARE:
TOPICS: Security
9

NoScript ClearClickFollowing the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.

"We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory."

And since prevention is better than the cure -- at least in the short term -- the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature :

"The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs."

Click in the clear, and make sure you're not susceptible to exploitation through last quarter's security vulnerabilities.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Requires Firefox plugin

    Are you afraid of offending Microsoft or just being <strike>unhelpful</strike> hurried?

    To use the only available cure right now requires adding the plugin you mention -- NoScript 1.8.2.1 -- to your Firefox browser. There is no fix for Internet Explorer, Opera, etc.
    bbaston1
    • NoScript

      I got FF3 on download day, and NoScript a few weeks later. FF3+NoScript ROCKS! Not only is FF3 noticeably MUCH faster than any IE incantation, but the NoScript effectively blocks a ton of annoying advertisements. I also like the native spell checker within FF3. I also figured out how FingerFox is used correctly with the fingerprint reader. This was the only thing that kept me using IE. I wish the FingerFox add-on had clearer instructions for use--I would have switched to FF a lot sooner than I did.
      riggy001
  • RE: Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

    "ClearClick, because if you don't use it terrorists can come flying out of your butt; you will be forced to sit down with Iran WITHOUT preconditions; your hair will fall out; your dog won't like you; you may be forced to buy TOXIC mortgage backed securities; and your feet will stink."

    I don't like the Fear sale, or couldn't you tell?

    Michael
    MarkTend.com
    http://marktend.com
    michael_kassing
    • I like Harvey Bardel better

      your schtick needs some work
      zmud
  • RE: Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

    Well, at least there is work around for Adobe Flash clickjacking flaw you can implement.
    As for bashing Microsoft, Opera or other internet browsers, I wish that Microsoft, Opera or other developers of internet browsers would allow 3rd parties to develop add-ons and extensions to the main browser to assist or solve problems of the main browser. This clickjacking needs to be fix ASAP because, like the DNS flaw, it won't stay in the can long and the malware writers will start their attack on us, the users of the internet. They will not care if Microsoft, Opera or other internet browsers have fixed this issue or not and we need to be ready before those attacks come.
    However, this problem is really going back to HTML specification which they are trying to update but they need to implement a patch or extension before this happens.
    phatkat
  • Opensource power

    Yet another perfect example of how Open Source software is the right choice. Go go NoScript / Firefox!

    I'm sure Microsoft will release some kind of security fix for clickjack sometime in 2009...
    waltmaine
  • Opensource power

    Yet another perfect example of how Open Source software is the right choice. Go go NoScript / Firefox!

    I'm sure Microsoft will release some kind of security fix for clickjacking sometime in 2009...
    waltmaine
  • RE: Adobe posts workaround for clickjacking flaw, NoScript releases ClearCl

    um... what kind of nitwit sets their webcam and mic up to spy on themselves if the DON'T want it plastered over the internet. Didn't Stark Effect (stark-effect.com, not the physics phenomenon) teach this lesson once and for all?
    Spitduck
  • RE: Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

    I get what you're reporting but just read this sentance from the first paragraph:

    "Following the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October."

    Until they releases??
    mikhey