Filtered By: Scitech
SciTech

Adobe to fix Flash webcam vulnerability


Adobe is working on a fix for a vulnerability in its Flash software that can allow an attacker to use a victim's computer webcam or microphone to spy on him or her. But users may not need to download a patch, as tech site CNET quoted Adobe spokesperson Wiebke Lips as saying the problem lies in the Flash Player Settings Manager on Adobe's servers and not on users' computers. "Engineering is currently working on a fix ... Note that this issue does not involve/require a product update and/or customer action. ... It's a fix we are making on our end online, and it is going to be pushed live as soon as QA [quality assurance] has completed their testing," she said in an e-mail to CNET. Feross Aboukhadijeh, a Stanford University computer science student, had made the vulnerability public in a blog post. "It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers ... There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux)," he said. He said an attacker can secretly set the Adobe Flash Settings Manager page to enable users’ webcams or microphones, by putting the settings SWF file into an iframe and making it invisible. All the attacker has to do next is to fool unsuspecting users into playing a little online game and unwittingly enabling their webcams. "I reported this vulnerability to Adobe a few weeks ago through the Stanford Security Lab. It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly," he said. "Adobe has to get on this one QUICK ... Everyone should make sure they have the Post-IT note defense fully deployed," CNET quoted Jeremiah Grossman, chief technology officer at Whitehat Security, as saying. The "Post-IT note defense" is a technique of covering the Web camera lens with a scrap of paper. — TJD, GMA News

Tags: adobe, adobeflash
LOADING CONTENT