Adobe promises fix for webcam-spying Flash bug

Aboukhadijeh Flash setting clickjack

Some technology flaws don’t go away—they just get a Band-Aid applied to them that eventually falls off. Adobe says it is working on a fix to an Adobe Flash vulnerability that enables attackers to trick Flash users into turning on their microphone and/or webcams, potentially enabling attackers to visually spy on them, overhear and record conversations, and obtain sensitive information. However, unlike most zero-day Flash exploits, this one doesn’t involve the Flash plug-in itself: instead, it uses interface obfuscation techniques to get users to unwittingly change their Flash player settings using a Shockwave Flash file hosted by Adobe itself.

Re-discovered by Stanford computer science student Feross Aboukhadijeh, the attack works by loading Adobe’s own Flash Player Settings Manager directly from Adobe, then using CSS, JavaScript, or other techniques to hide most of the interface and encourage users to click in locations that will enable Flash access to a user’s webcam or microphone. The attack relies on trickery and social engineering to get users to click in the right locations, rather than exploiting a bug in the plug-in or the Flash Player Settings Manager.

The technique is similar to a webcam settings attack that surfaced back in 2008; however, in that case attackers were loading the Flash Player Settings file into an iframe (essentially, a sub-region of a Web page that can be treated like a separate page), and using trickery to get users to click the settings options there. Adobe changed their settings file so it couldn’t be loaded in an iframe, but Aboukhadijeh realized that wasn’t actually necessary: just load the settings manager directly from Adobe, and you bypass Adobe’s anti-framing JavaScript code.

Aboukhadijeh reported the problem to Adobe, and apparently received no response. However, after disclosing the problem publicly Adobe has contacted Aboukhadijeh and said they are working on a fix that will not require an update to the Flash Player. As a result, Adobe likely won’t issue a security bulletin about the vulnerability. According to CNet, Adobe says a fix could be deployed by the end of the week.

Adobe has long been criticized for using a Shockwave Flash file on its own servers to enable user control of users’ settings on their local machines. Computer security experts and privacy advocates have also noted it makes the process of monitoring and clearing “Flash cookies”—also known as Local Shared Objects—considerably more complicated than it needs to be.


Photographers can now customize the layout of Lightroom Classic controls

Tired of scrolling past Lightroom tools that you don't use? Adobe Lightroom Classic now allows users to reorganize the Develop panel. The update comes along with new sharing options in Lightroom CC, and updates to the mobile Lightroom app.

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement or an unwanted trip to your local repair shop.

Stop your PC's vow of silence with these tips on how to fix audio problems

Sound problems got you down? Don't worry, with a few tweaks and tricks we'll get your sound card functioning as it should, and you listening to your favorite tunes and in-game audio in no time.

Microsoft’s latest patent paves the way for Andromeda dual-screen mobile device

The latest patent discovery from Microsoft showcases a new hinge design for quickly opening a dual-screen mobile device with a single hand. Could this be additional proof surrounding the rumors of the company's Project Andromeda device?

Heal your wrist aches and pains with one of these top ergonomic mice

If you have a growing ache in your wrist, it might be worth considering changing up your mouse for something ergonomic. But which is the best ergonomic mouse for you? One of these could be the ticket to the right purchase for you.

Nvidia’s Jetson AGX Xavier module is designed to give robots better brains

Nvidia's pricey Jetson AGX Xavier might help drive the next generation of smart robots. Nvidia hopes that developers will use its new Xavier module to power AI-driven machines like delivery drones and robots used in manufacturing.

These Windows 10 keyboard shortcuts will update your OG Windows skills

Windows 10 has many new features, and they come flanked with useful new keyboard shortcuts. Check out some of the new Windows 10 keyboard shortcuts to improve your user experience and save more time!

Leaked AMD Ryzen 3000 mobile benchmarks look fit for thin, low-power laptops

AMD is poised to give Intel a run for its money in the ultra-low-power processor space for laptops. Leaked benchmarks for the Ryzen 3000 APU series show the AMD processor besting Intel's Core i7 Y series in multicore performance.

Apple is spending $1 billion to hire up to 15,000 new employees in Austin

Apple has announced a series of expansions across the U.S. -- including a massive expansion to the company's Austin campus that will see it spending $1 billion to accommodate for up to 15,000 new employees.

Will Windows 95 be reimagined? Microsoft’s tweet hints at a throwback

The classic Windows operating system may just be getting a reboot of its own. Microsoft tweeted a cryptic message involving the Windows 95 logo and saying that it had a special announcement for its customers today.

Microsoft Surface Pro 6: Everything you need to know

The Surface Pro 6 is officially here, though it's not as big of a redesign as you might have hoped. With a new coat of black paint and an 8th-gen processor, this is a small update. If you've been eyeing a Surface Pro, you may want to wait…

Style up your MacBook Air with one of these great cases or sleeves

Whether you’re looking for added protection or a stylish flourish, you’re in the right place for the best MacBook Air cases. We have form-hugging cases, luxurious covers and padded sleeves priced from $7 to $130. Happy shopping!

Want to make one hard drive act like two? Here's how to partition in Windows

If you don't want all of your files stored in one place but only have one drive to work with, partitioning is your best way forward. Here's how to partition a hard drive in Windows 10, step by step.