About a day before this post a new security vulnerability has been detected in Adobe Flash player that causes Flash to switch on the webcam (if available). Of course you have to visit a website running the compromised code.
At risk are all versions of Flash released so far (Flash Player 11 is the latest build). And the exploit works (for now) on OS X Safari and Firefox. Windows browsers may be safe along with Google Chrome because of of a bug affecting opacity within CSS files. Wow! Imagine being saved by bad protocol.
Attackers exploits the bug by using a form of “clickjacking” where clicks on a seemingly innocuous webpage launch malicious functions. All you script kiddies have to do is hide the camera settings within an invisible iFrame. Once launched the clicks activating the webcam are hidden behind clicks in a simple Flash game!
But there’s a catch: for now the only page that allows an attack to work is hosted by Adobe “Websites Privacy Settings Panel” that controls the webcam and mic security settings. So all Adobe has to do is fix how this page works. Something its working to do immediately.