Adobe flash work around for clickjacking

R-C · October 09, 2008, 01:39:38 AM

http://www.adobe.com/support/security/advisories/apsa08-08.html
Flash Player workaround available for "Clickjacking" issue

Release date: October 7, 2008

Vulnerability identifier: APSA08-08

Platform: All Platforms

Affected Software: Adobe Flash Player 9.0.124.0 and earlier

this is their work around till they issue a new updated version.

R-C · October 09, 2008, 02:08:02 AM

if that is in the wrong place go ahead and move it I just thought it would be good to have it on this site too in case anyone missed seeing it on Corrine's blog.

Corrine · October 09, 2008, 04:35:11 PM

Anyone who uses CCleaner needs to adjust their settings if they have have this setting checked: CCleaner > Applications > Multimedia > Adobe Flash Player

During the "Analyze" stage, you can see the settings.sol being listed for removal, which would remove the workaround provided by Adobe:

C:\Documents and Settings\%User%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

http://forum.piriform.com/index.php?showtopic=18200

MikeW · October 10, 2008, 07:29:50 AM

Thanks for the 'heads up' Corrine. I had not noticed that happening. Corrected now

Temmu · October 14, 2008, 06:21:55 PM

scary. a cleaner that removes a fix. not good. thx for the heads up, corrine! :rose:

Corrine · October 16, 2008, 12:20:19 AM

http://www.adobe.com/support/security/bulletins/apsb08-18.html

Flash Player update available to address security vulnerabilities
Release date: October 15, 2008
Vulnerability identifier: APSB08-18
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms

This update addresses a potential 'Clickjacking' issue in Flash Player. Clickjacking is an issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This update helps prevent a Clickjacking attack on a Flash Player user's camera and microphone. (CVE-2008-4503)

This update includes further changes to enhance Flash Player's interpretation of cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Connection article. (CVE-2007-6243)

This update introduces functionality to further mitigate a potential port-scanning issue. For more information, see the following Adobe Developer Connection article. (CVE-2007-4324)

This update introduces changes to the Clipboard API that will prevent potential 'Clipboard attacks'. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Center article. (CVE-2008-3873)

This update introduces changes to the FileReference upload and download APIs to require user interaction. For more information, see the following section of the "Adobe Flash Player 10 Security Changes" Adobe Developer Connection article. (CVE-2008-4401)

Get the Update: http://www.adobe.com/go/getflashplayer/

R-C · October 21, 2008, 08:09:10 PM

and more good reading here
Adobe Flash 10 does NOT stop malvertizement hijacking

this sure has become quite the hot topic!

Corrine · October 21, 2008, 09:26:54 PM

Using Firefox with NoScript does though -- as long as you leave the default settings intact except for trusted sites.

{OT: I really, really, really dislike the term "malvertisement"}

R-C · October 21, 2008, 11:00:29 PM

I sorry it was the actual title of the article not my creation. It took me a while when I first started seeing the term to figure out what they were talking about.

Corrine · October 21, 2008, 11:17:36 PM

No need to be sorry, R-C. I know you didn't coin the term.