Adobe promises fix for webcam-spying Flash bug

Aboukhadijeh Flash setting clickjack

Some technology flaws don’t go away—they just get a Band-Aid applied to them that eventually falls off. Adobe says it is working on a fix to an Adobe Flash vulnerability that enables attackers to trick Flash users into turning on their microphone and/or webcams, potentially enabling attackers to visually spy on them, overhear and record conversations, and obtain sensitive information. However, unlike most zero-day Flash exploits, this one doesn’t involve the Flash plug-in itself: instead, it uses interface obfuscation techniques to get users to unwittingly change their Flash player settings using a Shockwave Flash file hosted by Adobe itself.

Re-discovered by Stanford computer science student Feross Aboukhadijeh, the attack works by loading Adobe’s own Flash Player Settings Manager directly from Adobe, then using CSS, JavaScript, or other techniques to hide most of the interface and encourage users to click in locations that will enable Flash access to a user’s webcam or microphone. The attack relies on trickery and social engineering to get users to click in the right locations, rather than exploiting a bug in the plug-in or the Flash Player Settings Manager.

The technique is similar to a webcam settings attack that surfaced back in 2008; however, in that case attackers were loading the Flash Player Settings file into an iframe (essentially, a sub-region of a Web page that can be treated like a separate page), and using trickery to get users to click the settings options there. Adobe changed their settings file so it couldn’t be loaded in an iframe, but Aboukhadijeh realized that wasn’t actually necessary: just load the settings manager directly from Adobe, and you bypass Adobe’s anti-framing JavaScript code.

Aboukhadijeh reported the problem to Adobe, and apparently received no response. However, after disclosing the problem publicly Adobe has contacted Aboukhadijeh and said they are working on a fix that will not require an update to the Flash Player. As a result, Adobe likely won’t issue a security bulletin about the vulnerability. According to CNet, Adobe says a fix could be deployed by the end of the week.

Adobe has long been criticized for using a Shockwave Flash file on its own servers to enable user control of users’ settings on their local machines. Computer security experts and privacy advocates have also noted it makes the process of monitoring and clearing “Flash cookies”—also known as Local Shared Objects—considerably more complicated than it needs to be.


Despite serious security flaws, D-Link will (again) not patch some routers

D-Link revealed that it won't patch six router models despite warnings raised by a security researcher. The manufacturer, for the second time in a span of about a year, cited end-of-life policies for its decision to not act.

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step by step, whether you're running a MacOS or Windows machine.

Adobe Premiere Rush CC is the cloud-based video editing app you've been waiting for

On stage at Adobe MAX 2018, Adobe announced its cloud-centric, social video-editing application, Adobe Premiere Rush CC. We took some time to put it through its paces to see what it offers, how it works, and what's missing.

Adobe’s Premiere Rush is a video-editing app designed for social media projects

At Adobe MAX 2018, Adobe unveiled updates across the board for all of its Creative Cloud apps, from the release of Premiere Rush CC, a social-focused video editor, to Project Gemini, a digital drawing and painting tool.

Core i9s and Threadrippers are all powerful, but should you go AMD or Intel?

The battle for the top prosumer CPUs in the world is on. In this head to head, we pit the Core i9 versus the Threadripper to see which is the best when it comes to maximizing multi-core performance on a single chip.

Apple’s latest feature ensures MacOS apps are safer than ever

MacOS is mythically known for being more immune to viruses than Windows, but that doesn't mean there isn't room to make it safer. Apple is using an app notarization feature to protect users from downloading malicious apps.
Product Review

Dell’s G3 Gaming laptop knows what gamers want, and what they can live without

Compromise and budget gaming laptops go hand-in-hand, but with the G3, Dell has figured out how to balance what gamers want with what they can live without.

There’s now proof that quantum computing is superior to the classical variety

For the first time in computer science history, researchers have tangibly demonstrated how a quantum computer is better than a classical computer. A quantum computer was able to solve a math problem that a classical PC cannot.

In 2018, the rivalry between AMD and Intel has become more interesting than ever

When it comes to selecting a CPU for your PC, there's no shortage of chips for you to choose from. With Ryzen, Threadripper, and Core i9 CPUs though, the AMD vs. Intel argument is muddier than ever.

Will Apple introduce a new MacBook at its Oct. 30 event? Here's everything we know

Whether it's called the MacBook Air or just the MacBook, Apple is highly rumored to introduce a new, affordable laptop in 2018. We discuss reports about upgrading displays, processors, sign-in features, and more.

Apple CEO demands Bloomberg retract its Chinese surveillance story

Apple CEO Tim Cook is calling on Bloomberg to retract a story alleging that Apple had purchased compromised servers that allowed the Chinese government to spy on Apple. Apple's investigation found no truth to the story.
Product Review

Amid a new fleet of budget laptops, the ZenBook 13 sails where others sink

It’s never been truer that you don’t need to spend over a thousand bucks to buy a good laptop. The ZenBook 13 takes we’ve always loved about its predecessor and makes enough small refinements to keep it ahead of its competitors.

Protect your digital identity with these four easy steps to online anonymity

You don't have to be a secret agent or a notorious hacktivist to care about anonymity. Consult this guide to learn tips, tricks, and best practices for staying anonymous and keeping your online activity private

Gaming on a laptop has never been better. These are your best options

Gaming desktops are powerful, but they tie you down to your desk. For those of us who prefer a more mobile experience, here are the best gaming laptops on the market, ranging from budget machines to maxed-out, wallet-emptying PCs.