Clickjacking, reporters

I’ve written on this before, so will just post a reminder here about how reporters may not always be accurate… PCWorld puts it this way today:

Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe’s multimedia software including bugs that could allow hackers to pull off what’s known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

Actually, David wrote nothing of the sort, as you can confirm by following the link which PCWorld (thankfully!) supplied. This is not a security flaw in Flash; there is not a “Flash bug” to fix.

The changes in Player 10 just prevent the browser’s existing and unpatched clickjacking flaws from affecting the Flash cam/mic dialog. David doesn’t go into details, but it’s something like Player calling out beyond the browser to the operating system to make sure Flash’s pixels are actually displayed, and the browser isn’t letting something else slide in on top to hide the dialog.

Clickjacking is a browser flaw. It is not addressed. (NoScript addresses some implementations but seems a stopgap.) Adobe took the lead in recognizing the issue, and bringing it to the attention of the browser vendors. Adobe has also mitigated the damage the browsers’ clickjacking problems can cause for Flash. But that’s it — the core problem still exists.

I’m glad that Adobe folks recognized the issue early, worked collaboratively on it, and have the first minimizations of the exploit path. But I’m not glad that reporters are saying it’s a Flash issue, just because other reporters said it was a Flash issue.

In Player 10, the permissions dialog for the webcam can’t be hidden by some other browser element, so you can’t be fooled into clicking on it. This will soon be rolled into Player 9, too, for those who need it. That’s all we did. Until the browsers can assure that what you click is what you think you click, and until websites assure that they’re not hosting untrustworthy third-party content, clickjacking in general will still be an issue. Flash is incidental to this whole clickjack story, not its focus.

(That PCWorld article is requesting material from google-analytics.com, quantserve.com, doubleclick.net, yimg.com, digg.com, industrybrains.com, pricegrabber.com, on24.com, and 2mdn.com. The ad networks among them receive files from strangers. Third-party requests like these are not only possible infection vectors for a clickjacking attack, but also enable cross-site surveillance through IP logging. Both browser makers and website owners have work to do to disable clickjacking.)

3 Responses to Clickjacking, reporters

  1. John Dowdell says:

    A reporter at CNET gets it wrong too:
    “Adobe Systems has addressed a security flaw in its Flash Player products that could lead to ‘clickjacking’ attacks. Flash Player 10, released on Wednesday, includes a fix for the clickjacking vulnerability… Clickjacking attacks take advantage of vulnerabilities in Adobe Flash Player 9.0.124.0 and earlier, as well as vulnerabilities in browsers such as Internet Explorer, Opera, Firefox and Safari… The Flash Player 10 update also helps prevent a clickjacking attack on a user’s Webcam and microphone, according to an Adobe security advisory. This variant of the attack could allow eavesdropping.”
    Oh, wait… it’s actually a ZDNet reporter, who is re-syndicated into CNET. These people are earning proprietary advertising revenue from repeating wrong things to the public.
    Recap: The “clickjack fix” in Player 10 simply prevents the webcam from being abused through existing browser flaws. Those browser flaws still exist. Their use against Flash was a side-issue.
    jd/adobe

  2. Robert McMillan says:

    Hey John, I wrote the PC World story you mention here. Why don’t you drop me a line? I would love to just once have someone technical at Adobe talk to me about security issues *before* I file a story. It hasn’t happened yet, but maybe you can help me out.
    [jd sez: Hi Robert, thanks for the interest. I rarely have the full story until the advisories come out either. I know the Security team here doesn’t have a press-relations person, but I’ll pass your request to them and the PR staff itself, thanks.]

  3. Robert McMillan says:

    Thanks man. Appreciated.