A Flash vulnerability in Google Chrome could allow a hacker to seize control of a target’s computer webcam using an exploit discovered by a Russian security researcher. Although Adobe patched the so-called “clickjacking” flaw in Flash in 2011, it can still be abused in the Chrome implementation of Flash Player.
An attacker can take advantage of the “camjacking” flaw by displaying a transparent Flash image over the webcam control function, Infosecurity Magazine explained. A user would click “OK” on what appeared to be a dialog box, for instance, but he or she would actually be activating the webcam.
“[T]his works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel,” Russian security researcher Egor Homakov, who developed a proof-of-concept exploit for the vulnerability, wrote on his blog. “Voila, attacker sees and hears you.”
An Adobe spokesperson acknowledged the flaw in an email exchange with The Register but explained that responsibility for patching it fell on Google. The regular version of Flash patched the issue two years ago.
“This vulnerability affects users on Flash Player installed with Google Chrome,” Adobe security spokeswoman Heather Edell told the publication. “Google is working to resolve the issue and plans to provide a fix this week.”
The vulnerability is the first test to see if Google can meet its own recent suggestion that vendors address active security exploits in their products within seven days, The Register noted. The company claimed in a blog post that software manufacturers should attempt to respond to vulnerabilities that are already being targeted with greater alacrity.
Given Google’s tight deadline suggestion, many vendors may find it valuable to avoid such incidents by strengthening security in the development process. One area many organizations overlook is the potential for third-party code – such as an outdated version of Flash – to introduce its own vulnerabilities to a program. With tools such as static analysis software, developers can identify flaws in third-party and proprietary code as they build their products, minimizing the danger of software security exploits.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.