A security flaw in Adobe Flash allowed websites to take control of webcams and microphones.
Thursday Adobe said that it resolved a nasty "clickjacking" Mac-only issue with Adobe Flash that allowed websites to access a visitor’s webcam without permission. The company said the problem actually resided within the Flash Player Settings Manager SWF file hosted on the Adobe website. No further details were released other than user intervention and/or Flash Player product updating is not required.
The exploit was first exposed on Tuesday by researcher and Stanford computer science major Feross Aboukhadijeh. He discovered that webcam and microphone abduction was performed by using a variation of the normal clickjacking technique. He reportedly told Adobe about the gaping hole after it was first discovered, but once a few weeks passed by without any kind of response, he decided to bring the exploit out in the open to force Adobe's hand.
Looks like it worked.
"I stumbled upon this blog post entitled 'Malicious camera spying using ClickJacking' where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams," Feross said on Tuesday. "He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working."
"But alas, the same attack is actually still possible," he added. "Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!"
But now there's nothing to fear, Mac users: Adobe has supposedly fixed the problem. Still, for those interested on how the webcam kidnapping worked, Feross has provided a 5-minute demonstration, as seen below.
Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.
Funny to hear Apple fans say that Macs don't get viruses though
Do Mac users still say that? People also used to say the Earth was flat.
Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.
Funny to hear Apple fans say that Macs don't get viruses though
Do Mac users still say that? People also used to say the Earth was flat.
It is a myth. In a way they are more secure, but only because there is simply less people making viruses for them, and less users to spread those viruses.
And yes Macs used to ship without the firewalls turns on, but I believe that has changed now. At least, the firewalls were turned on the 7 Mac Pros I set up this past week at work.
But anyway, at least Adobe is working on it.
Yup. I know quite a lot of people (most of which are my peers) who prefer Macs over PC and claim Macs don't have viruses...
I guess, though it seems as though a Mac exploits can be extremely lethal. Invasion of privacy through a webcam is pretty extreme for exploits, not to mention the exploding battery exploit. They still seem unlikely to spread and become common issues.
Halcyon, STOP defending Mac users. You don't realise you're an exception. Most of Mac users ARE ignorant illiterate arrogant stubborn zombies who refuse to understand the fact their favourite fruity company is brainwashing them to believe in their innovation instead of really innovating. Defending them - especially in the manner you do - makes you look like a fool, and from all your posts in our home thread I know you aren't, so I don't see why you have to do this.
Yeah if you believe all that, there is no hope for you, but you're probably too busy playing Angry Birds on your iPhone to even read this, much less understand how technology actually works.
btw: He says it doesn't work "on most browsers on Windows". Does that mean it works on at least one?
Accessing the webcam is actually less extreme than an exploit that allows you to hijack a computer. (Which is the goal of most exploits)
The exploding battery exploit was a myth. Nobody actually managed to blow up a battery by modifying the firmware.
this isn't about mac, this is about adobe flash compromising your system(whichever platform it may be).
good thing(unless it opens up another flash vulnerability) adobe solved the issue.
i still can't change flash player preferences and the cache options always reset to default.
i hope html5 kicks flash's ass.
Looks like it worked.
lol serves adobe right.
no, the setting was always on adobe website, but few months ago they now have that setting on the control panel also,
we're hating on Macs (because it's fun, among other more important things) and not on Media Access Control.
People still say the earth is flat....
http://theflatearthsociety.org/cms/