Does this exploit cope with the piece of black insulating tape stuck over the webcam?
A security flaw thought to have been fixed by Adobe in October 2011 has reappeared thanks to a new vulnerability involving Flash Player browser plug-ins. The as yet unpatched vulnerability creates a means to seize control of webcams without permission before siphoning off video and audio from victims' PCs. The clickjack-style …
Why don't laptop manufacturers all:
1. Have a little plastic door which slides across the front of the webcam; and
2. Combine this with a switch which isolates the microphone (directly in the signal path, not via the CPU)
Problem solved in 99% of cases.
Just my 2¢, which is approximately what this would cost to implement.
>"Well done, X. We didn't have that yet. It's one small webcam for each man, one giant leap for electronic surveillance."
I'm thinking the reply would actually be along the lines of:
"Is that it? We've had that for years, Adobe is an American company after all, we got them to put a back door in.
Keep me informed if it turns out this is the back door being discovered rather than a bug."
Lighten up! That's a classic "The Register" comment from a few years ago that I like to post on any security related article. It emphasises the point that it is popular things that get hacked, not buggy things. For years MS were held up as being crap with security because of bad design or poor programming. Now Google are popular we're starting to see that it's nothing to do with how well you design or code something and all to do with how much hackers want to hack you.
In ten years MS will be nowhere, Google will the new, incumbent monopoly abusing mega corporation and some new company will have all the tech fan boys salivating. The more things change....
"The article doesn't state that this exploit is limited to chrome on windows, though it most certainly won't work on my Mac. (Because chrome isn't available for it.)"
Oh yeah? Strange as I when I wander along to the official Chrome download link via Safari it seems to recognise my Hackintosh box and offers me the latest version of Chrome of OSX!
There are not only PPC but also Intel Macs still running OS 10.5 Leopard, and even 10.4 Tiger. Chrome won't work on those either as it requires OS 10.6 minimum.
Fortunately, however, many of those Macs are still vulnerable to the Java exploit that must be manually dealt with in older OS versions. So while users may not get the exhibitionist enjoyment of being secretly voyeured via webcam, they can still look forward to other forms of clandestine computer control :-D
But it's not an MS exploit, it's an Adobe Flash exploit. Flash still runs on GNU/Linux when using Chrome.
GNU/Linux has exploits too (which is why we get kernel updates etc). Almost all beyond trivial "Hello World" programs will have exploits.
A PC is only secure as the monkey who configured it.
That said, I do prefer GNU/Linux. That is partly personal preference, partly the fact I enjoy freedom and partly because I want to keep off the enforced upgrade-cycle. I can't afford a new PC every couple of years.
As for webcams....
1) They should have a physical cover; and
2) They should have an indicator light hard-wired to the webcam power and beyond software control (cam is on? That light is on, no way to bypass without a soldering iron).
Let's make it much easier:
1. Use GNU Linux or *BSD, always check for and install updates whenever those are available (just click on that red button!)
2. Make sure to have flashclock, adblock plugins and turn off java plugin on the browser (not only it is a matter of security but also a threat of getting annoyed by stupid ads)
3. I prefer Firefox, it has a noscript plugin. Elinks, w3m, lynx and other text browsers still make a lot of sense.
"Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft."
Because Microsoft software is ubiquitous! Not difficult to understand is it?
Why waste your time trying to attack a platform with a handful of users (in comparison).
People don't need to stop using MS products. They need to realise that everyone out there is trying to get your cash, and if you're stupid enough to ignore a threat, you deserve to be hit.
Platform has F-all to do with it. If OSX was the ubiquitous OS, OSX would be hit just as hard.
W O W. Never thought that one through! Hardly surprising, I encounter this everyday from 100's of people.
No, I refuse to use sarcasm tags, even when people like you make it so, so obvious that they are needed.
This is an article about a bug with Flash on Chrome. MS don't make either product.
To be fair, I often post ill thought out rants on the register if I'm having a shit day. Can I suggest a dinner time beverage? It may make the afternoon less fraught.
I just switched back to Mozilla Firefox, prompted by diabolical Flash performance and the fact that Chrome was bloated beyond belief. I still had the same flash problem on FF, unable to even play 420p youtube videos smoothly, until I happened upon the solution of disabling protected mode in Flash (disabling hardware acceleration made no difference). Thankfully I'm sensible when it comes to NoScript permissions, but I would hesitate when it comes to a non-technical user's system.
Although I have no problem watching flash videos in Firefox or Chromium and html5 performance is better than that of flashplayer, 720/1080p on both the older and low end hardware. I'd still recommend watching videos with a video player. I use mplayer or vlc. Try watching youtube videos in vlc.
Right, so unpack, disassemble and hack the 'on camera' firmware - and somehow bypass Microsoft's codesigning checks, and flash a new copy - just to disable the LED?
Security is my strong point actually, and we are heading into the world of fantasy for effort required versus result versus number of target users...
And as far as I aware, this vulnerability doesn't let you do things like flash USB device firmware...
"Because the dialogues are on the same page as the adversary's code, they can overlay things, make it opaque, and so on, to effectively hide the dialogue warning."
Surely you would have to then click the warning dialog box to accept before they had access to your webcam, or is Adobe saying they let them have access then they put up a warning dialog box to tell you its already happening?
If the warning can be made transparent, you can design your page so that the warning shows up lined up over a checkbox that the user is going to click anyway - instead of clicking "I agree to the terms and conditions", the user is actually clicking on the (transparent) Adobe permission box/button.
Which is precisely why I objected to the change in computing thinking to the always-on computer and consequent vulnerabilities. Of course there was the miserable failure of "sleep" in the good old Windows system or worse "hibernate" which they assured us would take care of any possible ills. So we should have written our OWN platforms, back in the early days...nvm.
Biting the hand that feeds IT © 1998–2019