RSS feedsAdobe has issued a security alert about its Flash software that is vulnerable to a practice known as 'clickjacking'.
Clickjacking involves subverting a web page so that when a visitor clicks on a link they are redirected to a site the hacker wants them to see. It is a variant of cross-site scripting attacks but appears to be more serious.
Details of the attack were due to be published at the OWASP NYC AppSec 2008 Conference but the talk was withheld at Adobe's request until a workaround could be developed.
Jeremiah Grossman, co-founder of Whitehat Security, and one of the researchers who uncovered the technique, said in a blog posting: "Let's be clear. The responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider.
"Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions in case the others don't do enough or anything at all."
Grossman warned that almost all browsers are vulnerable because of the way they process graphics, and only text-based browsers like Lynx are secure.
The researcher has demonstrated how a hacked Flash advert could be used to take control of a computer's webcam and microphone, for example, turning it into a surveillance device.
"With clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily," he said.
The US Computer Emergency Response Team has also issued a warning on the practice, and browser manufacturers are scrambling to come up with a method of defeating the attacks.
