Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

NoScript ClearClickFollowing the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.

“We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.”

And since prevention is better than the cure — at least in the short term — the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature :

“The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.”

Click in the clear, and make sure you’re not susceptible to exploitation through last quarter’s security vulnerabilities.

[Source: zdnet]