Not long after "clickjacking" attacks appeared several weeks ago it became clear that the culprit was Adobe's Flash. And the problem, as we say in the software biz, wasn't a bug, it was a feature. This feature has been modified in the new Flash 10 player to address the problem.

The problem is clipboard access. By default, Flash 9 allowed a Flash program to read and write to the clipboard. Clickjacking attacks took advantage of this to persistently stuff a value, usually a malicious URL, into the clipboard, in the hope the user would visit it. The attack is as cross-platform as Flash, working on Macs as well as Windows.

In Flash 10 the clipboard methods will only work when called through ActionScript, which originates with a user action, like pressing a button. No longer will a silent Flash application be able to hijack the clipboard completely without the user noticing.

This change was just one of many security changes in the Flash 10 player. Changes in how Flash handles policy files mean that developers will have to address their use of them. Errors on socket connect() calls will be handled differently. And much as with clipboards, file uploads and downloads may only occur in script that begins with a user action. There are other changes as well.

The flip side of this fix is that it is not implemented in Flash 9. This means that the only way to escape clickjacking attacks is to upgrade to Flash 10.