Possible clickjacking security flaws in Adobe software

I received this email — sent to a “bcc” distribution list — from Tom Brennan, organizer of the OWASP 2008 conference next week in New York. OWASP is the Open Web Application Security Project.

The contents of the email are interesting and provocative enough to share them verbatim. (I’m not associated with the conference.) You can read more about clickjacking on Jeremiah’s blog.


Subject: Microsoft/Adobe Researcher Talk @ OWASP

Below is a email from Robert Hansen concerning himself and Jeremiah Grossman of WhiteHat Security, being suppressed from speaking about a critical information security flaw that has been discovered and they had planned to uncover and discuss at the OWASP Security Conference event on 9/24.

As the OWASP event organizer, this critical issue does deserve your attention. I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat. Well this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone.

Read below from the security researchers and speakers, you can contact me or the researchers below for more information.

BTW — This is not the only security person that will be providing breaking research, however this is the 1st that has been told not to talk about it thus far.


—–Original Message—–
From: Robert Hansen
Sent: Monday, September 15, 2008 3:07 PM
To: Tom Brennan
Cc: Jeremiah Grossman
Subject: Clickjacking speech

Hello, Tom. I’m sorry to say, Jeremiah and I will have to pull our talk from the World OWASP conference. It turns out that the issue Jeremiah and I found expands over many different browsers and different vendors. Although clickjacking in some way or another has been known for a while as a possible attack vector, it was poorly documented and poorly researched. Not until recently did we begin doing research into other things it allows, and only then did we figure out exactly how dangerous it potentially was. Unfortunately we found this information out only days ago.

Even initially Jeremiah and I had a visceral reaction to our findings — and not much makes security guys cringe, which made us think it was a talk worth giving. Being concerned researchers, we contacted Adobe to warn them about one issue that affected them and their users. Although we didn’t believe it was their fault, they felt obliged to issue a patch, rather than rely on browser vendors. Only later did we realize we had found a separate flaw in their software. Successively we found other flaws in other software as a result of that research. It was a snowball effect.

Adobe asked us for more time, and we obliged. It’s good news for them, but unfortunately it means we won’t be able to do our speech. It was never our intention to harm any one vendor, but rather to show a problem in browser architecture as it stands today. So although Adobe’s request was unexpected, given our initial tenant, we feel obliged to honor it. We’ve been in contact with two browser vendors (Microsoft and Mozilla) and explained the problem. There may be small short term patches that will mitigate parts of the problem, but a better solution is probably not in the cards for the near future given the complexity of the issues involved.

During our communications with browser vendors it was initially thought to be a stand-alone problem that only affected Adobe, but after further analysis everyone concluded it is a more generic attack that may break some security measures put in place by websites. Users who want to protect themselves from the immediate issue need to disable scripting and plugins within the browsers, but because most users won’t know how to do this, we had to give Adobe some time to issue a patch. While that’s not a great solution, it’s the best we can offer at the moment. While the exploits we found are not the end of the internet, we felt it was best to work with the vendors and give them time to issue patches before releasing our speech to the security community.

We are obviously disappointed that we can’t deliver our speech, but we thought a neutered speech that left out critical details would diminish the message. And the message is — it’s pretty bad. If you or any of the other conference organizers have any additional questions feel free to contact either Jeremiah or I. Adobe’s PSIRT team also said that they would field questions at email hidden; JavaScript is required. I’m truly sorry!

Robert Hansen, CISSP
CEO — SecTheory LLC

Z Trek Copyright (c) Alan Zeichick