===================================================================== CERT-Renater Note d'Information No. 2008/VULN408 _____________________________________________________________________ DATE : 08/10/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Adobe Flash Player versions 9.0.124.0 and earlier. ====================================================================== http://www.adobe.com/support/security/advisories/apsa08-08.html ______________________________________________________________________ Flash Player workaround available for "Clickjacking" issue Release date: October 7, 2008 Vulnerability identifier: APSA08-08 Platform: All Platforms Affected Software: Adobe Flash Player 9.0.124.0 and earlier Summary Adobe is aware of recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential "Clickjacking" issue affects Adobe Flash Player. Adobe is working to address this issue in an upcoming update to Flash Player. Solution Customers: To prevent this potential issue, customers can change their Flash Player settings as follows: 1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html 2. Select the "Always deny" button. 3. Select ‘Confirm’ in the resulting dialog. 4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html. IT Administrators: IT Administrators can change the AVHardwareDisable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. For more information on the mms.cfg file and AVHardwareDisable, please refer to page 57 of the Adobe Flash Player Administration Guide: http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide/flash_player_admin_guide.pdf#page=57. Adobe is working to address the issue in an upcoming Flash Player update, scheduled for release before the end of October. Further details will be published on the Adobe Security Bulletin page at http://www.adobe.com/support/security. Additionally, all documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt Severity Rating Adobe categorizes this as a critical issue. Acknowledgments Adobe would like to thank Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security, Eduardo Vela, Matthew Mastracci of DotSpots, and Liu Die Yu for reporting this vulnerability and for working with us to help protect our customers' security. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================