Aharonovsky's demonstration used clickjacking tactics to reset Adobe's Flash privacy settings, and turn on the computer's webcam and microphone for remote spying. Serious stuff.
Adobe's already posted an advisory for the issue, though, with a workaround, while promisiing a fix before the end of October.
To prevent this potential issue, customers can change their Flash Player settings as follows:Hansen has posted a list of 12 different clickjacking scenarios on his blog. He poked at Aharonovsky somewhat, saying the PoC was a "careless disclosure." He also said:
- Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
- Select the "Always deny" button.
- Select ‘Confirm’ in the resulting dialog.
- Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.
As I said earlier, it's not an extension I'd ask the general public to use, but for those who are willing to put up with the extra work, it's great protection, until the browser developers come up with a proper fix.