(LiveHacking.Com) – Adobe has made changes to the Flash Player Settings Manager SWF file hosted on the Adobe website in response to a vulnerability that allowed any website to turn on your webcam and microphone without your knowledge or consent.
Feross Aboukhadijeh, a Stanford University computer science student, found that a maliciously crafted web page could use the vulnerability for a “clickjacking” attack which resulted in the webcam and microphone being activated and so allowing a remote attacker to spy on the victim.
The way the attack works is to load the Flash Player Settings Manager SWF file into an iFrame and then making it invisible using CSS. Then, the unsuspecting user plays a little game and unwittingly enable their webcam.
The fix applied by Adobe requires no user action or Flash Player product update.